Home / malwarePDF  

Trojan:Win32/Kovter


First posted on 17 May 2019.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Kovter.

Explanation :

Installation

On top of the recent (seen between March to April 2016) Kovter Adobe Flash malvertising attack, we have also seen the trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1 Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware will drop its main payload as data in a registry key (HKCU\software\ or HKLM\software\). For example, we have seen it drop the payload into the following registry keys:

hklmsoftwareoziyns8 hklmsoftware2pxhqtn hkcusoftwarempcjbe00f hkcusoftwarefxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

hklmsoftwaremicrosoftwindowscurrentversion
un hklm\softwaremicrosoftwindowscurrentversionpoliciesexplorer
un hklmsoftwarewow6432nodemicrosoftwindowscurrentversion
un hklmsoftwarewow6432nodemicrosoftwindowscurrentversionpoliciesexplorer
un hkcu\softwaremicrosoft\windowscurrentversion
un hkcusoftwareclassesshellopencommand

The dropped JavaScript registry usually has the format: “mshta javascript: ”.

When executed at startup, this JavaScript will load the Kovter payload data registry key data into memory and execute it. This is achieved through an invocation of PowerShell to dynamically load the encrypted payload. When executing in memory, the malware will also inject itself into legitimate processes including:iexplorer.exeexplorer.exeregsvr32.exesvchost.exe

After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.

Payload

Lowers Internet security settings
It modifies the following registry entries to lower your Internet security settings:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones3
Sets value: "1400"
With data: “0”

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones1
Sets value: "1400"
With data: “0”

Sends your personal information to a remote server
We have seen this malware send information about your PC to the attacker, including:

Antivirus software you are usingDate and time zoneGUIDLanguageOperating system

It can also detect some specific tools that you are using in your PC and sends that information back to the attacker:

JoeBoxQEmuVirtualPCSandboxieSunbeltSandboxieVirtualBoxVirtualPCVMWareWireshark

Click-fraud
This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does this by running several instances of Internet Explorer in the background.

Download updates or other malware
This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:

Trojan:Win32/CorebotTrojan:Win32/Eksor

Analysis by Geoff McDonald and Duc Nguyen

Last update 17 May 2019

 

TOP