Kovter expanding bot through emails bearing ‘court notices’ – Performanta’s case study
Category : Threat Analysis
On the weekend of the 11th of July some suspicious emails holding the subject of ‘Notice to Appear in Court’ were sent out to some of our key employees. The messages were allegedly originating from the ‘District Court’ and held a zipped attachment. Performanta Labs instigated some analysis and confirmed it was a threat. Following up with more rigorous analysis we determined that it was the Kovter Ad Fraud bot which also appeared to be spreading on the 10th of July via a malvertizing campaign.
At the current state of the threat landscape where adversaries segment scatter attacks for profit in order to remain undetected for longer periods of time, it’s becoming more challenging to differentiate crimeware attacks that utilise well known bots from what could potentially be an attack that specifically targets your data. At first glance, this attack appeared to be a targeted attack aimed specifically at Performanta; the Kovter threat had initial zero antivirus detection rate and kept having low detection rates in the following days (a known property for malware these days), it utilised infection methods like ‘process hollowing’ (seen in threats like Stuxnet) and downloaded Microsoft PowerShell. As the lines between crimeware and threats that target your data become more blurry, thorough analysis is paramount to gain context and understand threats in greater detail.
At Performanta, we specialise in professional services for an array of security products, we posses an acute understanding the current threat landscape and believe targeted attacks to be a common property that may affect organisations of all sizes. We educate our customers in the same manner and believe that exposing this type of data is essential – as it can help raise awareness and education against the scourge of cybercrime.
In an attempt to raise awareness, this blog is going to include some tangible information followed by indicators of compromise for this specific attack. We sincerely wish to educate the security community and help create context for anybody else that may have encountered this type of cyber attack.
The Email Lure
The malicious emails were sent during the early hours on Saturday the 11th of July. The subject of the emails (‘Notice to Appear in Court’) and the body of the messages didn’t appear to have any grammatical mistakes.
(Full text of the email message is included to help with incoming web search of affected parties or researchers)
The script attempts to download malicious executable files from three different hosts that appear to be compromised websites, the files are downloaded to the %TEMP% folder and their names are comprised of digits only (for e.g. 37845366.exe).
The crafted URL by the script attempts to download files from the next three websites:
The value of the stroke variable (seen at the top of the first image below), is used in the URL as the parameter value for the &id variable and in return the web-server returns the malicious file, this is done so that only the script can download the files. A simple detection evasion technique was spotted as the web-server attempted to masquerade the malicious executable files as images, this was done by including a filename with the GIF extension in the HTTP header content disposition field (see bottom image).
Here are some examples of calls from the script to download the malicious files:
Post Infection Activity – Utilising Windows PowerShell and downloading Flash Player
When the file is launched from the %TEMP% folder by Microsoft Windows Script Host, the threat executes a legitimate Windows program under \Windows\System32 called dllhost.exe , following the execution the threat utilises a method known as ‘process hollowing’ (‘process hollowing’ is a technique used by some malware in which a legitimate process is loaded on the system to contain and be loaded with malicious code – more details here).
The threat then starts another dllhost.exe process, this process appears to be a watchdog over the parentdllhost.exe process which acts as the main module. The threat ‘calls home’ and signals a successful infection to the Kovter command and control server by initiating an HTTP POST with some data to the next IP address 18.104.22.168/upload.php.
The folks at Malwarebytes noticed a Malvertizing campaign that dropped Kovter on the 10th of July, the threat checks in to the same IP at 22.214.171.124
Kovter spawns different sub processes to complete certain tasks and to remain persistent on the computer. In order to remain persistent, at the initial infection stages and following the hollowing of the dllhost.exe process, it generates a random name made out of letters to be used as a name to a folder that it creates under the logged user’s Local Settings Application Data folder (normally \Documents and Settings\%username%\Local Settings\Application Data), it then copies a version of itself to that folder and gives the generated executable copied the same random name it used for the folder. In order to persist and survive a system reboot two auto-startup RUN registry key are created under the local user and the local machine, the registry key name is empty or null (may appear as closing square brackets [ ] in some tools).
The threat has also been seen utilising Microsoft HTML Application Host (mshta.exe) to auto start under the RUN registry key, here is an example of how it looks like in the registry value:
Following a successful infection, the threat starts polling a long list of IP addresses that appear to be part of the bot (the IPs are listed in the Indicators of compromise section at the bottom of the blog). We examined the threat under Windows XP and one of its interesting traits is the download and silent install of The Windows Management Framework from Microsoft’s website, the installation is followed with the initiation of a framework update. One of the key features of that framework is PowerShell which is an advanced command line tool for Windows that enables power users to remotely or locally administer a machine, as such, it is considered to be a very effective post exploitation utility employed by both penetration testers and black-hats.
It was also observed that Kovter downloaded the latest version of Flash Player. A blog post by Kafeine assumed that adversaries simply try to ‘patch’ security holes on the system to avoid possible infection of other competing bots, it was noted on that same post Kovter probably does that to maximise its revenue by displaying Flash video ads which is more profitable than the usual simple pop-up commercial ads.
In this blog we analysed what appears to be a targeted attack aimed to expand a well-known bot called Kovter. This attack is a good reminder that low volume attacks, regardless if they utilise known malware or not, are a common property and relevant to any business size or industry vertical. The fact that Kovter impacts businesses and utilises power tools like PowerShell, increases the risk levels of an infection as it opens more options for adversaries to expand their business model and glean business data. We hope that you found this post educational and helpful in giving more context about this attack.
Please feel free to share this post within your social community and help improve awareness and understanding. You could potentially save a relative, friend or colleague from being an unsuspecting victim of such an attack.
Indicators of Compromise
Registry Keys :
Threat Local Files:
%USERPROFILE%\Local Settings\Application Data\<random-alphabetical-name>\<random-alphabetical-name.exe>
Legitimate Local Folders & Files:
Command and Control URL:
Other Network Traffic Seen initiated by Kovter (not confirmed as malicious):