Security Experts:

Kovter Trojan Gets New Persistence Mechanism

The actor behind the Kovter Trojan has come up with a new persistence mechanism over the past weeks and also started masquerading the malware as a Chrome update, Microsoft security researchers warn.

It’s a well-known fact that cybercriminals are constantly updating their malicious applications to ensure increased efficiency, and the people behind Kovter have been very active in this regard over the past several months: in April, they added ransomware capabilities to this file-less Trojan, while starting to masquerade it as a Firefox update several weeks ago.

Now, Microsoft Malware Protection Center (MMPC) researchers reveal that the actor has updated Kovter’s persistence method and that they also observed changes in the latest campaigns associated with this threat. The new persistence method, spotted for the first time last month, makes remediation more difficult for antivirus software, researchers say.

Kovter, already known for its file-less infection capabilities, generates and registers a new random file extension upon installation, and also defines a new shell open verb to handle this specific extension. For that, the malware sets specific registry keys, which ensure that the malicious Kovter command contained in the registry key is executed via the shell extension open verb each time a file with that custom file extension is opened.

As Duc Nguyen, MMPC, explains, all “Kovter needs to do to run on infected machines is open a file with their custom file extension […] – causing the malicious shell open command to run. This in turn runs a command using mshta.”

Although a clean tool, mshta is abused by Kovter for the execution of malicious JavaScript designed to load the main payload from another registry location. To ensure that this shell open command is triggered on a regular basis, the Trojan drops a series of garbage files with its custom file extension in different locations, Nguyen explains. Given that the malicious code is contained within the shell open verb registry key, the content of these garbage files isn’t important.

To complete the installation process, the malware sets up the auto-start mechanism that would automatically open these files, and it uses both a shortcut file and a batch (.bat) file for this. The shortcut (.lnk) pointing to the garbage file is dropped in the Windows startup folder. When using a batch script file (.bat), which is dropped in a randomly generated folder, Kovter sets a registry run key to execute it (the .bat will run the garbage file to execute the malicious shell open verb).

“Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change,” the MMPC researcher explains.

Other changes observed in Kovter over the past couple of months include the distribution through a fake Chrome browser update. Previously, the Trojan was pretending to be an Adobe Flash or a Firefox update. What’s more, the malware is now using a series of new digital certificates, which ensure a higher infection rate.

According to Microsoft, each time the Kovter actors release a new wave of samples that have been signed with a new certificate, there is a spike in successful infections. Telemetry data shows that some of the latest updates to the Trojan were made on around May 21, June 14, and in the first week of July.

To stay protected, users are advised to download and update applications only from their original and trusted websites. They should also install and maintain an anti-virus program to ensure that infection attempts are prevented before they could do any harm.

Related: Ad Fraud Trojan Kovter Patches Flash Player, IE to Keep Other Malware Out

view counter