MENUMenuIcon OUR STORY
SLASHNEXT LABS
THE KNOWLEDGE CENTER
BLOG
VIEW CATEGORIESHIDE CATEGORIES
SlashNext Labs SlashNext Labs

­Kovter – Stealthy Zero-Day Variant

February 7th 2018

­Kovter – Stealthy Zero-Day Variant

Kovter is seven years old trojan horse that started as ransomware tool, and then evolved into a full-fledged click fraud Trojan. During this evolution Kovter has changed its attack techniques, but its payload delivery methodology remained unchanged. Initially it was spread as ransomware via exploit kits to hide its activities. In 2014 Kovter became very popular because it would covertly remain in stealth mode, patiently waiting for a user to download something illegal, and then would blackmail the user to pay some ransom amount. Later, it spread via malvertisement campaigns on adult websites for click fraud.

Recently, the SlashNext Internet Access Protection System (IAPS) identified a new Kovter variant, where Kovter’s tried and true “modus operandi” for delivery was once again being leveraged to drop the malware into a SlashNext customer’s environment. Where if successful, the stealthy mechanisms were tuned to behave like a password stealer, and simply capture and exfiltrate user credentials and passwords.

Infection Chain

Kovter traditionally was delivered in email attachments containing a malicious MS Word document file that contained macros, responsible for malicious activities on victim’s system. An interesting fact about Kovter is that it hides itself within system registry entries to not only survive reboot, but also to ensure that it cannot be detected on disk. Kovter has matured, to the point where file delivery, as was determined by the Slashnext IAPS, can now be dynamic pull via a web redirect or pay per delivery campaign.

The Malicious Macros would then create a new auto-run entry for a downloaded shell script. Whenever system reboots, it injects shell code into PowerShell process and extracts binary file contents from same registry value. This binary file is then injected into regsvr32.exe process.

After execution, it sends HTTP POST requests to C&C containing user’s login credentials, SSN and other sensitive information on the compromised system. Such information can be used for any fraudulent activity as they are often sold in black market on dark web. Nowadays, Identity theft is very serious concern.

Zero-Day VirusTotal Detection

Shortly after the IAPS detection of the malware within the SlashNext customer base, the URL was scanned on VirusTotal, and none of the 67 linked detection engines had yet to detect this Data Exfiltration attack.  The main reason for this lack of detection is file less nature of the attack. AVs built around files can’t detect this type of file less attack.  Even now, at the time of writing, it is still an un-detected (zero-day) threat for any other toolset on Virus Total.

Indicators Of Compromise (IOCs)

Hostnames:

  • update-msjlukqyrkni5ss5o[.]stackpathdns[.]com

IP Addresses:

  • 107[.]151[.]213[.]177
  • 31.41[.]40[.]18
  • 104[.]18[.]53[.]104