Introduction
Kovter is a pervasive click-fraud trojan that uses a fileless persistence mechanism to maintain a foothold in an infected system and thwart traditional antivirus software [1]. In this article, we will take a closer look at this technique, which Kovter began leveraging in 2016.
Point of Entry
The first stage is delivered via a tainted email attachment - a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. The script file represents one half of a two-part downloader. When launched, it downloads the second half.
Run-of-the-mill social engineering coerces the user into opening the attachment. In this instance, a “Failed Parcel Delivery” notice claiming to be from USPS.
Use of 7-zip for the attachment is a curious choice. Following installation, the “.7z” extension is not associated with 7-zip. By default, Windows prompts the user to select a suitable program to open any 7-zip attachment.
This additional layer of interaction, beyond the typical requirement to simply double-click, can only have diminished the success of this campaign. 7-zip was mostly likely employed as an evasion tactic, being less common than the standard .zip file.
Figure 1: Default association following 7-zip installation
Ground Zero
Sample details:
SHA256: 399c2d44799d6a9e372e442ebcc2db50863aa28d77dce56ca6015352844e2b21
File Type: JScript/JavaScript
File Size: 1.39 KB
Comment: First stage downloader
SHA256: f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 408.42 KB
Comment: Main payload executable
When double-clicked by the end-user, Windows Script Host is responsible for launching the JavaScript in the 7z. The script only has a basic level of obfuscation, making it easy to analyze:
Figure 2: Deobfuscated 7Zip downloader script
HTTP GET requests are made to five embedded URLs. The random character string at the top of the script is included with each request, serving as a ‘chunk’ delimiter. If the delimiter is present in the response and the response is >1KB, it’s an indication that contact has been made with live the command-and-control (C2) server.
The second half of the downloader is extracted from the response body and executed using eval(). The extracted second half is responsible for downloading the main Kovter executable, saving it to %TEMP%. The same C2 servers host the executable:
Figure 3: Download script extracted from C2 response
Kovter is quick to elevate to fileless operation and persistence. Obfuscated JavaScript and binary payloads are written into the Windows Registry under HKCU|HKLM\Software\<RANDOM>\<RANDOM> (REG_SZ):
Figure 4: Initial registry keys
An instance of the Microsoft HTML Application Host (mshta.exe) is then launched, with the just-created JavaScript paths as the command line:
Figure 5: Microsoft HTA command line
The decoded JavaScript contains unused statements to confuse analysis, and a large Base64 payload:
Figure 6: Deobfuscated JavaScript
The Base64 string decodes to a PowerShell script that includes shellcode. The shellcode is loaded into memory and executed. This injected code reads Kovter’s encrypted payload from the second registry entry created earlier:
Figure 7: Shellcode injection using PowerShell
The payload code spawns a new process, regsvr32.exe, injecting itself into it. Executing within the regsvr32 process, Kovter remains hidden from casual process list inspection:
Figure 8: Nothing suspicious...
Generally, malware places links in HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN. But in Kovter’s case, it adds a call to a batch file dropped during execution:
Figure 9: Run registry entry for startup persistence
Figure 10: Batch file making strange invocations
The batch file executes a second file with an uncommon extension “.e3adce7e1”. This technique has been discussed previously [2]. By checking HKCU\SOFTWARE\CLASSES, we can understand how this technique works:
Figure 11: Registered extension
By creating the key “HKCU\SOFTWARE\CLASSES\.e3adce7e1”, Kovter registers the extension and configures its handler as “0be2da01”. The handler command is the familiar Microsoft HTA executable, together with obfuscated JavaScript responsible for process injection and resurrecting Kovter from its dormant state following a reboot:
Figure 12: Bespoke command handler
With its persistence mechanisms in place, Kovter deletes the downloaded executable (%TEMP%\exe1.exe).
Conclusion
Fileless persistence is challenging to detect. By using the Windows registry, Kovter avoids leaving detectable artefacts on the file system. The combination of obfuscated JavaScript, PowerShell, custom file extensions/handlers and process injection helps Kovter to blend into the environment and prolong its operational life time.
If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.
Indicators of Compromise (IoCs)
SHA256:
JavaScript 1st Stage: 399c2d44799d6a9e372e442ebcc2db50863aa28d77dce56ca6015352844e2b21
Main Payload PE: f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e
C2 URLs
httx://steuer-wirtschaft-recht[dot]de/modules/mod_login/counter
httx://ikincielesyaevi[dot]com/wp-admin/includes/counter
httx://demirbasetiketi[dot]net/wp-content/uploads/2017/03/counter
httx://ronakco[dot]com/media/com_jnews/modules/skin/counter
httx://gokcentunc[dot]com/wp-includes/images/crystal/counter
Registry Entries:
HKCU|HKLM\SOFTWARE\<RANDOM>\<RANDOM>
HKCU|HKLM\SOFTWARE\<RANDOM>\<RANDOM>
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
HKU\<RID>\SOFTWARE\CLASSES\.<RANDOM>
HKU\<RID>\SOFTWARE\CLASSES\<RANDOM>\SHELL\OPEN\COMMAND
HKCU\SOFTWARE\CLASSES\.<RANDOM>
HKCU\SOFTWARE\CLASSES\<RANDOM>\SHELL\OPEN\COMMAND
File System:
%LOCALAPPDATA%\<RANDOM>\<RANDOM>.<RANDOM>
%LOCALAPPDATA%\<RANDOM>\<RANDOM>.bat
References:
