Large Kovter digitally-signed malvertising campaign and MSRT cleanup release
Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.
Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.
Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.
Kovter’s digitally signed malvertising campaign
Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.
Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.
Using this technique, we’ve seen malicious attackers use varied techniques such as:
- Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
- Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
- Loading an exploit kit to attack your browser or browser plugin.
- Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.
The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.
Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.
Figure 1 – Kovter’s fake Adobe update malvertising infection chain
For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:
- aefoopennypinchingpolly.com
- ahcakmbafocus.org
- ahxuluthscsa.org
- caivelitemind.com
- ierietelio.org
- paiyafototips.com
- rielikumpara.org
- siipuneedledoctor.com
- ziejaweleda.org
The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:
Admin Email: monty.ratliff@yandex.com
As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:
https://<domain>/<random numbers>/<random hex>.html
For example:
hxxps://ahxuluthscsa.org/4792924404046/89597dd177df3daa78f184fe87c4386c.html
By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.
When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:
hxxps://ahxuluthscsa.org/1092920552392/1092920552392/1461879398769944/FlashPlayer.exe
Some example FlashPlayer.exe downloaded files for reference are as follows:
| Sha1 | Md5 |
eafe025671e6264f603868699126d4636f6636c7 | c26b064b826f4c1aa6711b7698c58fc0 |
0686c48fd59a899dfa9cbe181f8c52cbe8de90f0 | e0a31d6b58017428dd8c907b14ea334e |
62690c0a5a9946f91855a476b7d92447e299c89a | 18ccf307730767c4620ae960555b9237 |
7a678fa58e310749362a432db9ff82aebfb6de62 | f6406681e0652e33562d013a8c5329b9 |
872d157c9c844636dda2f33be83540354e04f709 | 42b1b775945a4f21f6105df8e9c698c2 |
37a8ad4a51b6f7b418c17abd8de9fc089a23125d | 3767f655a462c4bf13ae83c5f7656af4 |
cfebfe6d4065dd14493abeb0ae6508a6d874d809 | a14a38ebe3856766d55c1af35fb1681f |
c48b21c854d6743c9ebe919bf1271cade9613890 | 321f9b3717655e1886305f4ca01129ad |
4df10be4b12f3c7501184097abee681a1045f2ed | 0966f977c6d319e838be9b2ceb689fbe |
457f0f7fe85fb97841d748af04166f2a3e752efe | 7214015e37750f3ee65d5054a5d1ff8a |
These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:
We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.
This is one of the largest cases of trusted code-signing by malware that we have seen with more than 350,000 unique machines running our security products protected.
Given that we haven’t seen this certificate used for non-Kovter files, we believe the private key for the certificate was not stolen but rather issued to the malware authors directly. The domain used by the contact email address to acquire the certificate (itgms.org) was registered November 10, 2015, just eight days before the certificate was acquired, but we did not observe this certificate signing files in the wild until this campaign ramped up a few weeks ago on April 21, 2016. To date, we have seen this certificate only being used to sign Kovter files.
The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.
MSRT coverage
As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC
By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.
Kovter Installation
On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:
- Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
- Md5: 74dccbc97e6bffbf05ee269adeaac7f8
When Kovter is installed, the malware drops its main payload as data in a registry key (HKCUsoftware<random_chars> or HKLMsoftware<random_chars>). For example, we have seen it drop the payload into the following registry keys:
- hklmsoftwareoziyns8
- hklmsoftware2pxhqtn
- hkcusoftwarempcjbe00f
- hkcusoftwarefxzozieg
Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:
- hklmsoftwaremicrosoftwindowscurrentversionrun
- hklmsoftwaremicrosoftwindowscurrentversionpoliciesexplorerrun
- hklmsoftwarewow6432nodemicrosoftwindowscurrentversionrun
- hklmsoftwarewow6432nodemicrosoftwindowscurrentversionpoliciesexplorerrun
- hkcusoftwaremicrosoftwindowscurrentversionrun
- hkcusoftwareclasses<random_chars>shellopencommand
The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.
One executing in memory, the malware also injects itself into legitimate processes including:
- regsvr32.exe
- svchost.exe
- iexplorer.exe
- explorer.exe
After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.
Payload
Lowers Internet security settings
It modifies the following registry entries to lower your Internet security settings:
- In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 Sets value: “1400” With data: “0”
- In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 Sets value: “1400” With data: “0”
Sends your personal information to a remote server
We have seen this malware send information about your PC to the attacker, including:
- Antivirus software you are using
- Date and time zone
- GUID
- Language
- Operating system
It can also detect some specific tools you use in your PC and sends that information back to the attacker:
- JoeBox
- QEmuVirtualPC
- Sandboxie
- SunbeltSandboxie
- VirtualBox
- VirtualPC
- VMWare
- Wireshark
Click-fraud
This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.
Download updates or other malware
This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:
Demographics
Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April
Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States
Mitigation and prevention
To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.
Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:
- Block the IP addresses of the corresponding compromised websites soon as the administrator identifies the list of sites that Kovter and Locky maliciously redirects into.
- Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
- Disable the loading of macros in Office programs
- Disable macro loading through the Group Policy settings.
- Keep your software up-to-date to mitigate possible software exploits.
- Protect derived domain credentials with Credential Guard for Windows 10 Enterprise.
- Secure your code integrity with Device Guard for Windows 10 Enterprise.
- Secure the lateral account movement in your enterprise.
- Use two-factor authentication with Microsoft Passport and Windows Hello.
- Ensure that a strong password policy is implemented throughout the enterprise.
Geoff McDonald and Duc Nguyen
MMPC