Threat Spotlight: Kovter Malware Fileless Persistence Mechanism


Kovter is a pervasive click-fraud trojan that uses a fileless persistence mechanism to maintain a foothold in an infected system and thwart traditional antivirus software [1]. In this article, we will take a closer look at this technique, which Kovter began leveraging in 2016.

Point of Entry

The first stage is delivered via a tainted email attachment – a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. The script file represents one half of a two-part downloader. When launched, it downloads the second half.

Run-of-the-mill social engineering coerces the user into opening the attachment. In this instance, a “Failed Parcel Delivery” notice claiming to be from USPS.

Use of 7-zip for the attachment is a curious choice. Following installation, the “.7z” extension is not associated with 7-zip. By default, Windows prompts the user to select a suitable program to open any 7-zip attachment.

This additional layer of interaction, beyond the typical requirement to simply double-click, can only have diminished the success of this campaign. 7-zip was mostly likely employed as an evasion tactic, being less common than the standard .zip file.

Figure 1: Default association following 7-zip installation

Ground Zero

Sample details:

SHA256: 399c2d44799d6a9e372e442ebcc2db50863aa28d77dce56ca6015352844e2b21
File Type: JScript/JavaScript
File Size: 1.39 KB
Comment: First stage downloader

SHA256: f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 408.42 KB
Comment: Main payload executable

When double-clicked by the end-user, Windows Script Host is responsible for launching the JavaScript in the 7z. The script only has a basic level of obfuscation, making it easy to analyze:

Figure 2: Deobfuscated 7Zip downloader script

HTTP GET requests are made to five embedded URLs. The random character string at the top of the script is included with each request, serving as a ‘chunk’ delimiter. If the delimiter is present (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog