Cylance vs. Kovter Malware

Background

Kovter, the click-fraud trojan first detected in 2015, is back with a brand-new trick. The malware has moved its disk-based residency into memory and the registry, in hopes of evading standard antivirus (AV) detection. This new fileless infection capability is a significant evolution for Kovter.

Kovter Analyzed

The Cylance Threat Research Group recently analyzed the new infection method used by Kovter. Our research uncovered a potential design misstep which appears early in the malware’s delivery process.

Kovter arrives as an email attachment compressed by 7-zip (.7z) instead of the common .zip compression which Microsoft Windows® can open natively. Those who do not have 7-zip installed are prompted by Windows to select a program for opening the infected attachment. This interruption in the infection process gives users the opportunity to reexamine the situation, which may diminish the overall success rate of Kovter.

However, if the 7-zip file is successfully extracted the Windows Script Host will launch the weaponized JavaScript hidden within. This script reaches out to five URLs. The queries include a “chunk delimiter” (random character string) which is returned in a >1KB response by a live command-and-control (C2) server. The C2 server response also contains the second half of the malware downloader which will save the Kovter executable to %TEMP%.

Next, obfuscated JavaScript and the binary payloads are recorded in the Windows Registry under HKCU|HKLMSoftware<RANDOM><RANDOM> (REG_SZ).

 

 

The Microsoft HTML Application Host (mshta.exe) is then launched using the newly-created JavaScript paths as the command line. The JavaScript also includes a Base64 payload which contains shellcode. This shellcode is loaded into memory and executed.

The executed shellcode calls Kovter’s encrypted payload from the second infected registry entry. Kovter’s payload then launches and injects itself into a regsvr32.exe process. At this point the malware has successfully (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog