Kovter malware: The rise and evolution of a new generation of threat

In the cyber threat landscape, a large number of malware variants come and disappear quickly after their initial appearance in campaigns. Unlike malware that has common features, some of them possess the most persistent features, in order to establish themselves in the ever-rising landscape.

One such malware is the Kovter family of malware. It has been active since 2014 and has gone through various changes in its lifespan until now.

Discovery of Kovter

Kovter initially started as a police ransomware. It attempted to extort money from its victims as any other ransomware would do, but with a different approach. It locked victims’ files by displaying a bogus message masquerading as a ‘fine’ payment message from a legitimate law enforcement agency.

However, at the time of discovery, the malware did not possessive an effective code, as it required the correct set of conditions to operate successfully and could easily be detected and removed.

Evolution of Kovter

The next variant of Kovter was a click fraud malware, mostly different from the older version. In this iteration, Kovter used code injection to infect victims. As a result, it stole information from the infected computer and sent it to the malware author via its Command and Control (C&C) server.

Later, in 2015, Kovter changed its capabilities, transforming into a file-less malware, which is achieved using the installation of autorun registry entries. In 2016, it added multiple capabilities including the use of shell spawning technique to read malicious registry entry.

By the end of July 2016, Kovter was seen spreading along with malicious Google Chrome and Mozilla Firefox updates. In October 2016, researchers discovered a new variant of Kovter, that could bypass security sandbox approaches that are based on macro enablement alone. It circulated the wild for much longer after it came as a macro with click-based activation inside malicious documents.

In January 2017, Threatpost reported that the infamous Locky ransomware was downloading Kovter into the victims’ machines. In this case, even after the victim paid Locky’s authors, Kovter still remained in the affected computer.

Again, in April 2017, threat actors used the Nemucod trojan to deliver Kovter to victims via phishing campaigns. Since then, various threat actors have been spotted leveraging Kovter in multiple phishing campaigns.

Recent version of Kovter

The malware uses an almost file-less technique to infect victims, using the shell-spawning technique.

• Kovter commonly arrives as a malicious macro-based spam email attachment, as part of campaigns from different threat actors.
• After the malicious attachments are executed, the malware installs a batch file inside %ApplicationData% or %AppDataLocal%. Registry files required to direct the execution of the random file is also installed in Classes Root.
• When the system restarts or the shortcut or batch file is triggered, then the malicious code is executed from the registry entry into the memory.
• The registry entry gets injected into a spawned process (usually regsvr.32.exe) which, in turn, connects to various URL’s as a part of its click fraud activity.
• After installation, the malware also continues to monitor the existence of these components.

Persistent threat

Kovter is one example of a constantly evolving malware family. The malware uses a pervasive click-fraud technique and almost file-less persistence mechanism to maintain a foothold in victims' computers. The combination of obfuscated JavaScript, PowerShell, custom file extensions and process injection allows Kovter to adjust to the evolving threat landscape, and maintain persistence.

Organizations should take all necessary precautions to stay safe from this malware, as file-less malware variants are more difficult to detect and mitigate.