Large Kovter digitally-signed malvertising campaign and MSRT cleanup release

Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

Kovter’s digitally signed malvertising campaign

Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

Using this technique, we’ve seen malicious attackers use varied techniques such as:

  • Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
  • Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
  • Loading an exploit kit to attack your browser or browser plugin.
  • Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

Kovter infection chain

Figure 1 – Kovter’s fake Adobe update malvertising infection chain

 

For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:

  • aefoopennypinchingpolly.com
  • ahcakmbafocus.org
  • ahxuluthscsa.org
  • caivelitemind.com
  • ierietelio.org
  • paiyafototips.com
  • rielikumpara.org
  • siipuneedledoctor.com
  • ziejaweleda.org

The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

Admin Email: monty.ratliff@yandex.com

As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

https://<domain>/<random numbers>/<random hex>.html

For example:

hxxps://ahxuluthscsa.org/4792924404046/89597dd177df3daa78f184fe87c4386c.html

By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:

hxxps://ahxuluthscsa.org/1092920552392/1092920552392/1461879398769944/FlashPlayer.exe

Some example FlashPlayer.exe downloaded files for reference are as follows:

Sha1 Md5
eafe025671e6264f603868699126d4636f6636c7
c26b064b826f4c1aa6711b7698c58fc0
0686c48fd59a899dfa9cbe181f8c52cbe8de90f0
e0a31d6b58017428dd8c907b14ea334e
62690c0a5a9946f91855a476b7d92447e299c89a
18ccf307730767c4620ae960555b9237
7a678fa58e310749362a432db9ff82aebfb6de62
f6406681e0652e33562d013a8c5329b9
872d157c9c844636dda2f33be83540354e04f709
42b1b775945a4f21f6105df8e9c698c2
37a8ad4a51b6f7b418c17abd8de9fc089a23125d
3767f655a462c4bf13ae83c5f7656af4
cfebfe6d4065dd14493abeb0ae6508a6d874d809
a14a38ebe3856766d55c1af35fb1681f
c48b21c854d6743c9ebe919bf1271cade9613890
321f9b3717655e1886305f4ca01129ad
4df10be4b12f3c7501184097abee681a1045f2ed
0966f977c6d319e838be9b2ceb689fbe
457f0f7fe85fb97841d748af04166f2a3e752efe
7214015e37750f3ee65d5054a5d1ff8a

 

These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

Comodo certificateComodo certificate

 

We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.

 

MSRT coverage

As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.

 

Kovter Installation

On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

  • Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
  • Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware drops its main payload as data in a registry key (HKCU\software\<random_chars> or HKLM\software\<random_chars>). For example, we have seen it drop the payload into the following registry keys:

  • hklm\software\oziyns8
  • hklm\software\2pxhqtn
  • hkcu\software\mpcjbe00f
  • hkcu\software\fxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

  • hklm\software\microsoft\windows\currentversion\run
  • hklm\software\microsoft\windows\currentversion\policies\explorer\run
  • hklm\software\wow6432node\microsoft\windows\currentversion\run
  • hklm\software\wow6432node\microsoft\windows\currentversion\policies\explorer\run
  • hkcu\software\microsoft\windows\currentversion\run
  • hkcu\software\classes\<random_chars>\shell\open\command

The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.

One executing in memory, the malware also injects itself into legitimate processes including:

  • regsvr32.exe
  • svchost.exe
  • iexplorer.exe
  • explorer.exe

After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.

 

Payload

Lowers Internet security settings

It modifies the following registry entries to lower your Internet security settings:

  • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Sets value: “1400” With data: “0
  • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Sets value: “1400” With data: “0

Sends your personal information to a remote server

We have seen this malware send information about your PC to the attacker, including:

  • Antivirus software you are using
  • Date and time zone
  • GUID
  • Language
  • Operating system

It can also detect some specific tools you use in your PC and sends that information back to the attacker:

  • JoeBox
  • QEmuVirtualPC
  • Sandboxie
  • SunbeltSandboxie
  • VirtualBox
  • VirtualPC
  • VMWare
  • Wireshark

Click-fraud

This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.

Download updates or other malware

This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:

 

Demographics

Kovter prevalence or encounters chart

Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April

 

Kovter's geographic distribution

Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States

 

Mitigation and prevention

To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Geoff McDonald and Duc Nguyen

MMPC