Kovter is a pervasive click-fraud trojan that uses a fileless persistence mechanism to maintain a foothold in an infected system and thwart traditional antivirus software . In this article, we will take a closer look at this technique, which Kovter began leveraging in 2016.
Point of Entry
Run-of-the-mill social engineering coerces the user into opening the attachment. In this instance, a “Failed Parcel Delivery” notice claiming to be from USPS.
Use of 7-zip for the attachment is a curious choice. Following installation, the “.7z” extension is not associated with 7-zip. By default, Windows prompts the user to select a suitable program to open any 7-zip attachment.
This additional layer of interaction, beyond the typical requirement to simply double-click, can only have diminished the success of this campaign. 7-zip was mostly likely employed as an evasion tactic, being less common than the standard .zip file.
Figure 1: Default association following 7-zip installation
File Size: 1.39 KB
Comment: First stage downloader
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 408.42 KB
Comment: Main payload executable
Figure 2: Deobfuscated 7Zip downloader script
HTTP GET requests are made to five embedded URLs. The random character string at the top of the script is included with each request, serving as a ‘chunk’ delimiter. If the delimiter is present in the response and the response is >1KB, it’s an indication that contact has been made with live the command-and-control (C2) server.
The second half of the downloader is extracted from the response body and executed using eval(). The extracted second half is responsible for downloading the main Kovter executable, saving it to %TEMP%. The same C2 servers host the executable:
Figure 3: Download script extracted from C2 response
Figure 4: Initial registry keys
Figure 5: Microsoft HTA command line
The Base64 string decodes to a PowerShell script that includes shellcode. The shellcode is loaded into memory and executed. This injected code reads Kovter’s encrypted payload from the second registry entry created earlier:
Figure 7: Shellcode injection using PowerShell
The payload code spawns a new process, regsvr32.exe, injecting itself into it. Executing within the regsvr32 process, Kovter remains hidden from casual process list inspection:
Figure 8: Nothing suspicious...
Generally, malware places links in HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN. But in Kovter’s case, it adds a call to a batch file dropped during execution:
Figure 9: Run registry entry for startup persistence
Figure 10: Batch file making strange invocations
The batch file executes a second file with an uncommon extension “.e3adce7e1”. This technique has been discussed previously . By checking HKCU\SOFTWARE\CLASSES, we can understand how this technique works:
Figure 11: Registered extension
Figure 12: Bespoke command handler
With its persistence mechanisms in place, Kovter deletes the downloaded executable (%TEMP%\exe1.exe).
If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.
Indicators of Compromise (IoCs)
Main Payload PE: f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e