# Kovter **[github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md](https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md)** itaymigdal main ## malware-analysis-writeups/Kovter/Kovter.md Cannot retrieve contributors at this time **Malware** **Name** **File** **Type** **SHA256** Kovter x32 exe ## Intro 40050153dceec2c8fbb1912f8eeabe449d1e265f0c8198008be8b34e5403e731 Probably this is the piece of malware that blew my mind the hardest of all malwares i have ever touched (still they are not a lot though 😅). days and nights i spent on it and it is not even close to be enough to fully comprehend the whole picture of it. it uses ----- tons of tricks against analysts, and it has brilliant persistence mechanism. the malware essence is special as well - it is a Click-Fraud Malware, and i could not explain it better [then "eWhite Hats" did on their "KOVTER UNCOVERED" paper:](https://raw.githubusercontent.com/ewhitehats/kovterTools/master/KovterWhitepaper.pdf) Blogs display ads in the hope that their readers will see an advertisement that interests them and click on it. The click is tracked by the ad network (such as Google AdWords) and the blog is financially rewarded for the number of readers that click on ads while reading their blog. Click fraud malware infects a computer and uses that computer as a host to perform fraudulent clicks. In this way, the group running the malware campaign can make money at the expense of the ad network and the advertisers, since the advertisers pay for the clicks, whether legitimate or not. The malware group registers fake websites with the ad network. The fraudulent clicks are for ads these websites “displayed.” The ad network cannot differentiate between these “clicks” for ads that were never seen by anyone and legitimate clicks, so the malware group is paid for the fake clicks on their fake sites. Additionly, the malware is written in Delphi which is harder to analyze then the usual C/C++. ## Analysis process The initial executable which contains all the upcoming badness inside of it has a very creepy icon: Of course it is packed: As i do always, i'm executing the malware under Procmon to see the main malware actions. the file is sleeping for few minutes and then: Few processes are spawned with very interesting command line: ----- The process tree by AnyRun: A huge amount of data is written to the registry by almost all of the processes: A huge ammount of connections are made to variety of destinations by Regsvr32.exe (as you already guess - this is the click fruad activity): ----- ### Persistence Mechanism After the computer was well infected, we will follow the persistence chain. We'll try to locate anything suspicious in Autoruns, and we found it: Suspicious batch file was written to a the run key. navigating to the location in Explorer: Besided the batch file we see another file with a very suspicious extention. the content of the batch file is: ----- The batch file executes the other weird file (the first argument of `start is the title of` the new window). looking at the content of the file: It looks encrypted.. So now you must ask, how Windows suppose to know how to deal with this ".c0ded" extention? The answer lies in the following registry location (Which was written by the malware of course): This key describes how to treat this ".c0ded" file, and the answer here is - treat it like it was a "a5ef" file. And how to treat this extention? By executing the above command. here is the command after a bit cleaning: The command reads the registry value in `HKCU\software\vmwbcodxx\eznyhwwfez` [and runs it as Javascript by Mshta.exe.](https://lolbas-project.github.io/lolbas/Binaries/Mshta/) Opening this location in Regedit reveals this key including all the other values that was written by the malware. but watch this - when opening the value `eznyhwwfez, it looks` empty even though we can see something is there in the Regedit navigator: ----- This is happening because Kovter authors used a realy nice trick that abuses a known bug in the registry: all the values written to it were prefixed with a Null byte, which causes the registry to display an empty value in newer versions of Windows, or crash the program in older version. So exporting all this registry data: We've got a very obfuscated Javascript code that contains a big blob of binary data that deobfuscated and being sent to "eval" function which executes it: A quick trick to analyze it is to comment out the "eval" function and write the content to a file instead: ----- we've got another obfuscated code, deobfuscating it (removing junk comments, junk variables and a indenting): So what we've got here? Another Javascript layer that resizes the window to zero and hide it in the corner, creates a Powershell variable and initialize it with Powershell code that decodes a big blob of base64 and executes it with "iex" ("iex" of Powershell = "eval" of Javascript and more languages). decoding the Powershell blob: And we've got another obfuscated Powershell layer 😒: Deobfuscating: ----- So what this code is doing is define a big blob of shellcode inside the `$sc32 variable,` calling `VirtualAlloc to allocate virtual memory in the current process (which is still` Powershell.exe), copying the shellcode to it using `memset and then executing it using` ``` CreateThread . ### Analyzing The Shellcode ``` The shellcode is PIC (position independent code), thus has no imports, thus has to find the needed imports by itself, and it does it by the known reflective loading method [(explained here, and in more other places). first it navigates to the PEB to get the](https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode) address of Kernel32.dll: After retrieving the `LoadLibraryA and` `GetProcAddress addresses from` Kernel32.exe, it can resolve all the rest of the calls it need. So it loads Advapi32.dll (a library which contains all the registry API): ----- And then reads an the encrypted Kovter main payload that was written to the registry: Decrypts it in memory, and executes it! ### Main Activity This main Kovter payload responsible for injecting itslef to Regsvr32.exe, which injects itself to another instance of Regsvr32.exe. So in order to cut to the chase, i located the injected decrypted Kovter PE using Process Hacker in Regsvr32.exe: ----- And dumped it with Pe-Sieve: ----- The dumped PE is unpacked finally: And here is all of its imports: ----- Kovter uses [Thread Hijacking technique to injects itself:](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking) And here is the functionality for the click-fruad activity: It uses a long list of IP's and URL's: ----- The first 2 lines contain the C2 address: ## Final Words For my opinion, Kovter is one of the toughest, sophisticatest and hard-to-analyze malwares i have seen. It uses tons of tricks like lolbins, bugs, injections, insane persistence chain, and it lives totally in the registry. [Months after my analysis i encountered this great "KOVTER UNCOVERED" paper](https://raw.githubusercontent.com/ewhitehats/kovterTools/master/KovterWhitepaper.pdf) which taught me some other stuff on Kovter. And [here, i found John Hammond getting knocked by it as well 😆.](https://www.youtube.com/watch?v=DXlqAH1IV6A) Hope you enjoyed :) -----