Threat Spotlight: Kovter Malware Fileless Persistence Mechanism

Introduction

Kovter is a pervasive click-fraud trojan that uses a fileless persistence mechanism to maintain a foothold in an infected system and thwart traditional antivirus software [1]. In this article, we will take a closer look at this technique, which Kovter began leveraging in 2016.

Point of Entry

The first stage is delivered via a tainted email attachment - a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. The script file represents one half of a two-part downloader. When launched, it downloads the second half.

Run-of-the-mill social engineering coerces the user into opening the attachment. In this instance, a “Failed Parcel Delivery” notice claiming to be from USPS.

Use of 7-zip for the attachment is a curious choice. Following installation, the “.7z” extension is not associated with 7-zip. By default, Windows prompts the user to select a suitable program to open any 7-zip attachment.

This additional layer of interaction, beyond the typical requirement to simply double-click, can only have diminished the success of this campaign. 7-zip was mostly likely employed as an evasion tactic, being less common than the standard .zip file.

Figure 1: Default association following 7-zip installation

Ground Zero

Sample details:

SHA256: 399c2d44799d6a9e372e442ebcc2db50863aa28d77dce56ca6015352844e2b21
File Type: JScript/JavaScript
File Size: 1.39 KB
Comment: First stage downloader

SHA256: f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 408.42 KB
Comment: Main payload executable

When double-clicked by the end-user, Windows Script Host is responsible for launching the JavaScript in the 7z. The script only has a basic level of obfuscation, making it easy to analyze:

Figure 2: Deobfuscated 7Zip downloader script

HTTP GET requests are made to five embedded URLs. The random character string at the top of the script is included with each request, serving as a ‘chunk’ delimiter. If the delimiter is present in the response and the response is >1KB, it’s an indication that contact has been made with live the command-and-control (C2) server.

The second half of the downloader is extracted from the response body and executed using eval(). The extracted second half is responsible for downloading the main Kovter executable, saving it to %TEMP%. The same C2 servers host the executable:

Figure 3: Download script extracted from C2 response

Kovter is quick to elevate to fileless operation and persistence. Obfuscated JavaScript and binary payloads are written into the Windows Registry under HKCU|HKLM\Software\<RANDOM>\<RANDOM> (REG_SZ):

Figure 4: Initial registry keys

An instance of the Microsoft HTML Application Host (mshta.exe) is then launched, with the just-created JavaScript paths as the command line:

Figure 5: Microsoft HTA command line

The decoded JavaScript contains unused statements to confuse analysis, and a large Base64 payload:

Figure 6: Deobfuscated JavaScript

The Base64 string decodes to a PowerShell script that includes shellcode. The shellcode is loaded into memory and executed. This injected code reads Kovter’s encrypted payload from the second registry entry created earlier:

Figure 7: Shellcode injection using PowerShell

The payload code spawns a new process, regsvr32.exe, injecting itself into it. Executing within the regsvr32 process, Kovter remains hidden from casual process list inspection:

Figure 8: Nothing suspicious...

Generally, malware places links in HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN. But in Kovter’s case, it adds a call to a batch file dropped during execution:

Figure 9: Run registry entry for startup persistence

Figure 10: Batch file making strange invocations

The batch file executes a second file with an uncommon extension “.e3adce7e1”. This technique has been discussed previously [2]. By checking HKCU\SOFTWARE\CLASSES, we can understand how this technique works:

Figure 11: Registered extension

By creating the key “HKCU\SOFTWARE\CLASSES\.e3adce7e1”, Kovter registers the extension and configures its handler as “0be2da01”. The handler command is the familiar Microsoft HTA executable, together with obfuscated JavaScript responsible for process injection and resurrecting Kovter from its dormant state following a reboot:

Figure 12: Bespoke command handler

With its persistence mechanisms in place, Kovter deletes the downloaded executable (%TEMP%\exe1.exe).

Conclusion

Fileless persistence is challenging to detect. By using the Windows registry, Kovter avoids leaving detectable artefacts on the file system. The combination of obfuscated JavaScript, PowerShell, custom file extensions/handlers and process injection helps Kovter to blend into the environment and prolong its operational life time.

If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.

Indicators of Compromise (IoCs)

SHA256:

JavaScript 1st Stage: 399c2d44799d6a9e372e442ebcc2db50863aa28d77dce56ca6015352844e2b21
Main Payload PE: f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e

C2 URLs

httx://steuer-wirtschaft-recht[dot]de/modules/mod_login/counter

httx://ikincielesyaevi[dot]com/wp-admin/includes/counter

httx://demirbasetiketi[dot]net/wp-content/uploads/2017/03/counter

httx://ronakco[dot]com/media/com_jnews/modules/skin/counter

httx://gokcentunc[dot]com/wp-includes/images/crystal/counter

Registry Entries:

HKCU|HKLM\SOFTWARE\<RANDOM>\<RANDOM>
HKCU|HKLM\SOFTWARE\<RANDOM>\<RANDOM>
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
HKU\<RID>\SOFTWARE\CLASSES\.<RANDOM>
HKU\<RID>\SOFTWARE\CLASSES\<RANDOM>\SHELL\OPEN\COMMAND
HKCU\SOFTWARE\CLASSES\.<RANDOM>
HKCU\SOFTWARE\CLASSES\<RANDOM>\SHELL\OPEN\COMMAND

File System:

%LOCALAPPDATA%\<RANDOM>\<RANDOM>.<RANDOM>

%LOCALAPPDATA%\<RANDOM>\<RANDOM>.bat

References:

 [1] Threat Spotlight: The Truth About Fileless Malware

 [2] https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-fileless-creates-a-new-file-type-and-gets-some-new-certificates/