Background

Kovter, the click-fraud trojan first detected in 2015, is back with a brand-new trick. The malware has moved its disk-based residency into memory and the registry, in hopes of evading standard antivirus (AV) detection. This new fileless infection capability is a significant evolution for Kovter.

Kovter Analyzed

The Cylance Threat Research Group recently analyzed the new infection method used by Kovter. Our research uncovered a potential design misstep which appears early in the malware’s delivery process.

Kovter arrives as an email attachment compressed by 7-zip (.7z) instead of the common .zip compression which Microsoft Windows® can open natively. Those who do not have 7-zip installed are prompted by Windows to select a program for opening the infected attachment. This interruption in the infection process gives users the opportunity to reexamine the situation, which may diminish the overall success rate of Kovter.

However, if the 7-zip file is successfully extracted the Windows Script Host will launch the weaponized JavaScript hidden within. This script reaches out to five URLs. The queries include a “chunk delimiter” (random character string) which is returned in a >1KB response by a live command-and-control (C2) server. The C2 server response also contains the second half of the malware downloader which will save the Kovter executable to %TEMP%.

Next, obfuscated JavaScript and the binary payloads are recorded in the Windows Registry under HKCU|HKLM\Software\<RANDOM>\<RANDOM> (REG_SZ).

 

 

The Microsoft HTML Application Host (mshta.exe) is then launched using the newly-created JavaScript paths as the command line. The JavaScript also includes a Base64 payload which contains shellcode. This shellcode is loaded into memory and executed.

The executed shellcode calls Kovter’s encrypted payload from the second infected registry entry. Kovter’s payload then launches and injects itself into a regsvr32.exe process. At this point the malware has successfully infiltrated the system using only remote calls and available system resources. The fileless attack is a success.

Further details on how Kovter tries to obfuscate its presence and how it establishes persistence on a system can be found in our Threat Spotlight report.

Why is Kovter Important and Why Should I Be Concerned?

Click-fraud malware is designed to exploit pay-per-click (PPC) online advertising. When your IT resources are hijacked into serving the shady agenda of anonymous fraudsters, you lose technical productivity.

Furthermore, when your security has been compromised once the same approach may be used to do it again. Malware currently on your system may also be modified into making a second or third intrusion easier and less detectable.

Cylance Stops Kovter

Customers of our endpoint protection product CylancePROTECT® will be glad to learn that Kovter poses no threat to their systems. When the malware downloads its executable payload Cylance immediately convicts the infected file.

Our solution also blocks the execution of the malicious PowerShell scripts, meaning CylancePROTECT stops Kovter in multiple ways. The threat actors behind Kovter have learned a few new tricks, but they still lag far behind the predictive powers of the AI-driven CylancePROTECT.