{"id":6328,"date":"2017-01-23T15:50:23","date_gmt":"2017-01-23T23:50:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-166\/"},"modified":"2017-01-23T15:50:23","modified_gmt":"2017-01-23T23:50:23","slug":"news-166","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-166\/","title":{"rendered":"Kovter becomes almost file-less, creates a new file type, and gets some new certificates"},"content":{"rendered":"<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Trojan:Win32\/Kovter\">Trojan:Win32\/Kovter<\/a> is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter\u2019s persistence method and some updates on their latest malvertising campaigns.<\/p>\n<h2>New persistence method<\/h2>\n<p>Since June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software.<\/p>\n<p>Upon installation, Kovter will generate and register a new random file extension (for example, <strong><em>.<\/em><\/strong>bbf5590fd) and define a new shell <em>open<\/em> verb to handle this specific extension by setting the following registry keys:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/kovter1.png\" rel=\"attachment wp-att-8385\"><img loading=\"lazy\" decoding=\"async\" width=\"899\" height=\"162\" title=\"Registry setup for Kovter \" class=\"aligncenter wp-image-8385 size-full\" alt=\"Registry setup for Kovter \" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/kovter1.png\" \/><\/a><\/p>\n<p><em>Figure 1: Registry setup for Kovter <\/em><\/p>\n<p>With this setup, every time a file with the custom file extension (<strong>.<\/strong>bbf5590fb) is opened, the malicious Kovter command contained in the registry key is executed via the shell extension <em>open<\/em> verb.<\/p>\n<p>Therefore, all Kovter needs to do to run on infected machines is open a file with their custom file extension <strong><em>.<\/em><\/strong>bbf5590fb \u2013 causing the malicious shell <em>open<\/em> command to run. This in turn runs a command using <em>mshta<\/em>.<\/p>\n<p><em>Mshta<\/em> is a clean tool that is used by Kovter to execute malicious JavaScript. This JavaScript then loads the main payload from another registry location, <em>HKCUsoftware67f1a6b24cd0db239<\/em>. To trigger this shell <em>open<\/em> command on a regular basis, Kovter drops several garbage files with its custom file extension in different locations, for example:<\/p>\n<ul>\n<li><em><a title=\"Default location for the variable folder &quot;%LOCALAPPDATA%&quot;\" href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/variables.aspx#localappdata\" target=\"_blank\">%LOCALAPPDATA%<\/a>2023e9f140e3e3b4.<strong>bbf5590fd<\/strong><\/em><\/li>\n<li><em><a title=\"Default location for the variable folder &quot;%APPDATA%&quot;\" href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/variables.aspx#appdata\" target=\"_blank\">%APPDATA%<\/a>33e588393ad319e6.<strong>bbf5590fd<\/strong><\/em><\/li>\n<\/ul>\n<p>The contents of these files are not important, since the malicious code is contained within the shell<em> open<\/em> verb registry key. The last step in the installation process is setting up the auto-start mechanism to automatically open the above files. Kovter uses both a shortcut file and a batch (.bat) file for this:<\/p>\n<p><strong>Using a shortcut file<\/strong><\/p>\n<p>Kovter drops a shortcut file (.lnk) in the Windows startup folder which points to the garbage files. We have seen it drop the following shortcut file:<\/p>\n<ul>\n<li><a title=\"Default location for the variable folder &quot;%APPDATA%&quot;\" href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/variables.aspx#appdata\" target=\"_blank\"><em>%APPDATA%<\/em><\/a><strong><em>MicrosoftWindowsStart MenuProgramsStartup28dd1e3d.lnk<\/em><\/strong><\/li>\n<\/ul>\n<p>The target command of the shortcut file is the following:<\/p>\n<p><strong><em>C:WindowsSystem32cmd.exe \/C start &#8220;&#8221; &#8220;C:UsersAdminAppDataRoaming33e588393ad319e6.bbf5590fd&#8221;<\/em><\/strong><\/p>\n<p>Once executed at startup, this command will open the file, causing the malicious shell <em>open<\/em> verb to run the malicious <strong><em>mshta<\/em><\/strong> command previously set up in the registry system (see Figure 1).<\/p>\n<p><strong>Using a batch script file<\/strong><\/p>\n<p>Kovter will drop a batch script file (.bat) and set a registry run key to execute the .bat file. The .bat file will be dropped in a randomly generated folder, such as:<\/p>\n<ul>\n<li><em><a title=\"Default location for the variable folder &quot;%LOCALAPPDATA%&quot;\" href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/variables.aspx#localappdata\" target=\"_blank\">%LOCALAPPDATA%<\/a><\/em><strong><em>2023e9f16af64010.bat<\/em><\/strong><\/li>\n<\/ul>\n<p>The .bat file has the following content:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/kovter2.png\" rel=\"attachment wp-att-8395\"><img loading=\"lazy\" decoding=\"async\" width=\"549\" height=\"36\" title=\"Content of the .bat file setup in run key\" class=\"aligncenter wp-image-8395 size-full\" alt=\"Content of the .bat file setup in run key\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/kovter2.png\" \/><\/a><\/p>\n<p><em>Figure 2: Content of the .bat file setup in run key<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Once executed, this bat will also run the dropped file, which then executes the malicious shell <em>open<\/em> verb.<\/p>\n<p>Instead of just adding the <em>mshta<\/em> script directly as a run key registry as in the old variant, Kovter is now using this shell <em>open<\/em> trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change.<\/p>\n<p>Windows Defender is able to successfully clean up and remove these new versions of this threat.<\/p>\n<h2>Kovter malvertising updates<\/h2>\n<p>Since <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/10\/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release\/\"><\/a><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/10\/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release\/\">our last blog on Kovter spreading through malicious advertisements<\/a> as a fake Adobe Flash update, we have observed some changes.<\/p>\n<p>On top of the fake Adobe Flash updates, Kovter is now <a href=\"https:\/\/blog.barkly.com\/fileless-malware-kovter-posing-as-firefox-update\">also pretending to be a Firefox update<\/a>. Kovter has also rotated through a series of new digital certificates, including the following:<\/p>\n<table style=\"width: 70%;border: 0.5px\">\n<tbody style=\"border: 1px solid grey;border-collapse: collapse\">\n<tr style=\"border: 0.5px solid #70AD47;background: #70AD47;vertical-align: top\">\n<td style=\"color: #ffffff;font-weight: 600;font-size: 1.1em;border-bottom: 0.5px solid white;text-align: left;padding: 2px\"><strong>Certificate signer hash<\/strong><\/td>\n<td style=\"color: #ffffff;font-weight: 600;font-size: 1.1em;border-bottom: 0.5px solid white;text-align: left;padding: 2px\"><strong>Valid from<\/strong><\/td>\n<td style=\"color: #ffffff;font-weight: 600;font-size: 1.1em;border-bottom: 0.5px solid white;text-align: left;padding: 2px\"><strong>Valid until<\/strong><\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">7e93cc85ed87ddfb31ac84154f28ae9d6bee0116<\/td>\n<td style=\"padding: 2px\">Apr 21 2016<\/td>\n<td style=\"padding: 2px\">Apr 21 2017<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">78d98ccccc41e0dea1791d24595c2e90f796fd48<\/td>\n<td style=\"padding: 2px\">May 13 2016<\/td>\n<td style=\"padding: 2px\">May 13 2017<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">c6305ea8aba8b095d31a7798f957d9c91fc17cf6<\/td>\n<td style=\"padding: 2px\">Jun 22 2016<\/td>\n<td style=\"padding: 2px\">Jun 22 2017<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">b780af39e1bf684b7d2579edfff4ed26519b05f6<\/td>\n<td style=\"padding: 2px\">May 12 2016<\/td>\n<td style=\"padding: 2px\">May 12 2017<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">a286affc5f6e92bdc93374646676ebc49e21bcae<\/td>\n<td style=\"padding: 2px\">May 13 2016<\/td>\n<td style=\"padding: 2px\">May 13 2017<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">ac4325c9837cd8fa72d6bcaf4b00186957713414<\/td>\n<td style=\"padding: 2px\">Nov 18 2015<\/td>\n<td style=\"padding: 2px\">Nov 17 2016<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">ce75af3b8be1ecef9d0eb51f2f3281b846add3fc<\/td>\n<td style=\"padding: 2px\">Dec 28 2015<\/td>\n<td style=\"padding: 2px\">Dec 27 2016<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>Table 1: List of certificates used by Kovter<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>We&#8217;ve notice that every time Kovter actors release a new wave of samples signed with a new certificate they hit a lot of machines. This can be seen in our telemetry for the past three months, with spikes on May 21, June 14, and the first week of July.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/kovter3.png\" rel=\"attachment wp-att-8405\"><img loading=\"lazy\" decoding=\"async\" width=\"1804\" height=\"565\" title=\"Kovter\u2019s prevalence for the past two months\" class=\"aligncenter wp-image-8405 size-full\" alt=\"Kovter\u2019s prevalence for the past two months\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/kovter3.png\" \/><\/a><\/p>\n<p><em>Figure 3: Kovter\u2019s prevalence for the past two months<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Besides fake Adobe Flash and Firefox updates, Kovter also pretends to be a Chrome update (<em>chrome-update.exe<\/em>).<\/p>\n<p>We have seen Kovter downloaded from a large list of URLs, including:<\/p>\n<ul>\n<li><em>hxxps:\/\/eepheverseoftheday.org\/2811826639187\/2811826639187\/146819749948281\/FlashPlayer.exe<\/em><\/li>\n<li><em>hxxps:\/\/deequglutenfreeclub.org\/8961166952189\/8961166952189\/146809673281840\/FlashPlayer.exe<\/em><\/li>\n<li><em>hxxps:\/\/zaixovinmonopolet.net\/5261173544131\/5261173544131\/146785099939564\/FlashPlayer.exe<\/em><\/li>\n<li><em>hxxps:\/\/feehacitysocialising.net\/7561659755159\/1468089713424429\/firefox-patch.exe<\/em><\/li>\n<li><em>hxxps:\/\/eepheverseoftheday.org\/1851760268603\/1851760268603\/1468192094476645\/firefox-patch.exe<\/em><\/li>\n<li><em>hxxps:\/\/uchuhfsbox.net\/8031143191240\/8031143191240\/1467996389305283\/firefox-patch.exe<\/em><\/li>\n<li><em>hxxps:\/\/ierairosihanari.org\/1461656983266\/1461656983266\/1467987174641688\/firefox-patch.exe<\/em><\/li>\n<li><em>hxxps:\/\/anayimovilyeuros.net\/7601143032510\/7601143032510\/1465468888898207\/chrome-patch.exe<\/em><\/li>\n<\/ul>\n<p>For reference, here are some SHA1s corresponding to each certificate used by Kovter:<\/p>\n<table style=\"width: 70%;border: 0.5px\">\n<tbody>\n<tr style=\"border: 0.5px solid #70AD47;background: #70AD47;vertical-align: top\">\n<td style=\"color: #ffffff;font-weight: 600;font-size: 1.1em;border-bottom: 0.5px solid white;text-align: left;padding: 2px\"><strong>Certificate Signer Hash<\/strong><\/td>\n<td style=\"color: #ffffff;font-weight: 600;font-size: 1.1em;border-bottom: 0.5px solid white;text-align: left;padding: 2px\"><strong>SHA1<\/strong><\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">7e93cc85ed87ddfb31ac84154f28ae9d6bee0116<\/td>\n<td style=\"padding: 2px\">7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">78d98ccccc41e0dea1791d24595c2e90f796fd48<\/td>\n<td style=\"padding: 2px\">da3261ceff37a56797b47b998dafe6e0376f8446<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">c6305ea8aba8b095d31a7798f957d9c91fc17cf6<\/td>\n<td style=\"padding: 2px\">c3f3ecf24b6d39b0e4ff51af31002f3d37677476<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">b780af39e1bf684b7d2579edfff4ed26519b05f6<\/td>\n<td style=\"padding: 2px\">c49febe1e240e47364a649b4cd19e37bb14534d0<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">a286affc5f6e92bdc93374646676ebc49e21bcae<\/td>\n<td style=\"padding: 2px\">3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">ac4325c9837cd8fa72d6bcaf4b00186957713414<\/td>\n<td style=\"padding: 2px\">e428de0899cb13de47ac16618a53c5831337c5e6<\/td>\n<\/tr>\n<tr style=\"border: 0.5px solid #70AD47;background: #E2EFDA;vertical-align: top\">\n<td style=\"padding: 2px\">ce75af3b8be1ecef9d0eb51f2f3281b846add3fc<\/td>\n<td style=\"padding: 2px\">b8cace9f517bad05d8dc89d7f76f79aae8717a24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>Table 2: List of Kovter SHA1 for each certificate<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>To protect yourself from this type of attack, we encourage users to <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/help\/updatefaqs.aspx\">only download and install applications or their updates from their original and trusted websites<\/a>.<\/p>\n<p>Using an up-to-date version of an antimalware scanner like <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/using-defender#1TC=windows-10\">Windows Defender<\/a> will also help you to stay protected from Kovter.<\/p>\n<p><em>Duc Nguyen<br \/> MMPC<\/em><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/07\/22\/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trojan:Win32\/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter\u2019s persistence method and some updates on their latest malvertising campaigns. New persistence method Since June 2016,&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10878,10531,10833],"class_list":["post-6328","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-kovter","tag-malvertising","tag-trojan"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6328"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6328\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6328"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}