Kovter Research and Analysis

Through recent alert analysis, Perch Labs has identified Kovter as malicious code on the rise since January. To truly understand the code, we need to understand its history:

The Kovter family of malicious code has a tradition of being effective and difficult to detect. The most common attack vector for Kovter has been through spam and targeting phishing email campaigns. Spam and phishing emails using false delivery notifications for UPS, FedEx or invoices are nothing new but are still incredibly effective especially when well researched and targeted. The main variants of Kovter are aimed at performing ad fraud and are difficult to detect and remove, as they implement these file-less infection methods. They can steal personal or corporate information, download additional malware or have complete access to the infected host.

Kovter Methodologies

1. Attack the Human
Kovter arrives within mail attachments as a macro in an office file. When activated, the macro downloads additional files that triggers a powershell command stored in the registry to gain full control of the host. Then the randomly named file deletes itself. One of the most recent campaigns used an effective technique to trick users by using fake delivery notifications from UPS, USPS, and FedEx. The Emails have historically targeted Finance and HR departments through related internet services documents such as resumes and invoices. The email attachment is either a ZIP file that archives a double extension file (*.doc.html) or a standalone double extension HTML file.

2. Extract, Decode and Run
Phishing, if targeted, is successful because of the research done on the company or individuals. Malicious actors will troll LinkedIn to identify key employees or easy targets. They then troll social media to evaluate likes and dislikes to help craft an email based on the data found. The HTML document will convince the user to click and download an “Office plugin,” but in the background, the HTML actually contains an embedded base64-encoded ZIP file.

3. Install Malicious javascript
When executed, the HTML extracts a JS file (WebView-Plugin-Update-0.exe.js) which is a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. Once connected, the fake WebView Plugin will download a JS file and immediately executes it after a de-obfuscation process.

4. Connect to C2 for additional payloads
The file, once properly decoded, will again try to build different URLs using different domain names. There will be two possible URLs from each domain. The first URL will download something from the ransomware or spyware family and the second URL will download KOVTER. Both URLs will download a file with a *.PNG extension that will be renamed to *.EXE and executed later. There are layers of obfuscated files and multiple command and control sites.

5. Connect to new C2 to test file storage
The malicious code will now attempt to communicate with the C2 servers that have been architected to store stolen assets from the infected hosts. Once communication is established there is a process that schedules regular connections to upload any data that the infected host has collected.



## Strategy for Detection and Prevention Due to its arrival via spam mail, your organization should consider setting up anti-spam filters that can block malicious emails before they can even reach the endpoint user. Also, implement web filtration that may detect communication with a C2 website.

1. Log Management
Log messages are a very useful tool for a variety security tasks, but simply collecting logs locally in text files is often not enough. With tools like syslog-ng, security experts can centralize all of the log messages coming from servers, network devices, applications and lots of other sources (even printers and peripherals). With central log collection, one can easily check log messages even if the source machine suffered a hardware failure or logs were removed during a security incident. And once all of the logs are centralized, you can do interesting things like filter the messages, getting rid of the ones you don’t want, or classify messages so that you can group similar messages together. There are a few steps to follow to maintain an efficient and effective logging process:

2. File Integrity Management
Organizations can also list methods for detection, which can be based on commands known to be used by malicious PowerShell scripts looking for patterns used to obfuscate their command-prompt. Files from any of the below malware will, once loaded, be detected through their file loads. This is another observable that can be detected through an FIM solution.

3. Intrusion Detection and Netflow
An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. While anomaly detection and reporting is the primary function, some intrusion detection systems are capable of taking actions when malicious activity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.

4. Solid Threat Intelligence



5. 247 Monitoring of indicators like the IP address below
In cyber threat intelligence, analysis often hinges on the triad of actors, intent, and capability; with consideration given to their tactics, techniques, and procedures (TTPs), motivations, and access to the intended targets. Studying this triad enables us to make informed, strategic, operational, and tactical assessments.

References:

Recorded Future – Kovter ID Card

Stephen Coty

Stephen Coty
Contractor
LinkedIn