Kovter is a pervasive click-fraud trojan that uses a fileless persistence mechanism to maintain a foothold in an infected system and thwart traditional antivirus software . In this article, we will take a closer look at this technique, which Kovter began leveraging in 2016.
Point of Entry
Run-of-the-mill social engineering coerces the user into opening the attachment. In this instance, a “Failed Parcel Delivery” notice claiming to be from USPS.
Use of 7-zip for the attachment is a curious choice. Following installation, the “.7z” extension is not associated with 7-zip. By default, Windows prompts the user to select a suitable program to open any 7-zip attachment.
This additional layer of interaction, beyond the typical requirement to simply double-click, can only have diminished the success of this campaign. 7-zip was mostly likely employed as an evasion tactic, being less common than the standard .zip file.
Figure 1: Default association following 7-zip installation
File Size: 1.39 KB
Comment: First stage downloader
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 408.42 KB
Comment: Main payload executable
Figure 2: Deobfuscated 7Zip downloader script
HTTP GET requests are made to five embedded URLs. The random character string at the top of the script is included with each request, serving as a ‘chunk’ delimiter. If the delimiter is present (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog