{ "id": "ce8993d6-8eb2-45fa-a0a3-cff4d2c5cbe2", "created_at": "2026-04-06T00:13:42.675627Z", "updated_at": "2026-04-10T03:31:13.450208Z", "deleted_at": null, "sha1_hash": "a2421f8bfea6044c540492efddf6b69ae54d74f8", "title": "malware-analysis-writeups/Kovter/Kovter.md at main · itaymigdal/malware-analysis-writeups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5991235, "plain_text": "malware-analysis-writeups/Kovter/Kovter.md at main ·\r\nitaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-05 16:53:34 UTC\r\nMalware Name File Type SHA256\r\nKovter x32 exe 40050153dceec2c8fbb1912f8eeabe449d1e265f0c8198008be8b34e5403e731\r\nIntro\r\nProbably this is the piece of malware that blew my mind the hardest of all malwares i have ever touched (still they\r\nare not a lot though 😅). days and nights i spent on it and it is not even close to be enough to fully comprehend the\r\nwhole picture of it. it uses tons of tricks against analysts, and it has brilliant persistence mechanism. the malware\r\nessence is special as well - it is a Click-Fraud Malware, and i could not explain it better then \"eWhite Hats\" did on\r\ntheir \"KOVTER UNCOVERED\" paper:\r\nBlogs display ads in the hope that their readers will see an advertisement that interests them and click\r\non it. The click is tracked by the ad network (such as Google AdWords) and the blog is financially\r\nrewarded for the number of readers that click on ads while reading their blog. Click fraud malware\r\ninfects a computer and uses that computer as a host to perform fraudulent clicks. In this way, the group\r\nrunning the malware campaign can make money at the expense of the ad network and the advertisers,\r\nsince the advertisers pay for the clicks, whether legitimate or not. The malware group registers fake\r\nwebsites with the ad network. The fraudulent clicks are for ads these websites “displayed.” The ad\r\nnetwork cannot differentiate between these “clicks” for ads that were never seen by anyone and\r\nlegitimate clicks, so the malware group is paid for the fake clicks on their fake sites.\r\nAdditionly, the malware is written in Delphi which is harder to analyze then the usual C/C++.\r\nAnalysis process\r\nThe initial executable which contains all the upcoming badness inside of it has a very creepy icon:\r\nOf course it is packed:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 1 of 14\n\nAs i do always, i'm executing the malware under Procmon to see the main malware actions. the file is sleeping for\r\nfew minutes and then:\r\nFew processes are spawned with very interesting command line:\r\nThe process tree by AnyRun:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 2 of 14\n\nA huge amount of data is written to the registry by almost all of the processes:\r\nA huge ammount of connections are made to variety of destinations by Regsvr32.exe (as you already guess\r\n- this is the click fruad activity):\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 3 of 14\n\nPersistence Mechanism\r\nAfter the computer was well infected, we will follow the persistence chain.\r\nWe'll try to locate anything suspicious in Autoruns, and we found it:\r\nSuspicious batch file was written to a the run key. navigating to the location in Explorer:\r\nBesided the batch file we see another file with a very suspicious extention. the content of the batch file is:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 4 of 14\n\nThe batch file executes the other weird file (the first argument of start is the title of the new window). looking\r\nat the content of the file:\r\nIt looks encrypted..\r\nSo now you must ask, how Windows suppose to know how to deal with this \".c0ded\" extention?\r\nThe answer lies in the following registry location (Which was written by the malware of course):\r\nThis key describes how to treat this \".c0ded\" file, and the answer here is - treat it like it was a \"a5ef\" file.\r\nAnd how to treat this extention?\r\nBy executing the above command. here is the command after a bit cleaning:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 5 of 14\n\nThe command reads the registry value in HKCU\\software\\vmwbcodxx\\eznyhwwfez and runs it as Javascript by\r\nMshta.exe.\r\nOpening this location in Regedit reveals this key including all the other values that was written by the malware.\r\nbut watch this - when opening the value eznyhwwfez , it looks empty, even though we can see something is there\r\nin the Regedit navigator:\r\nThis is happening because Kovter authors used a realy nice trick that abuses a known bug in the registry: all the\r\nvalues written to it were prefixed with a Null byte, which causes the registry to display an empty value in newer\r\nversions of Windows, or crash the program in older version.\r\nSo exporting all this registry data:\r\nWe've got a very obfuscated Javascript code that contains a big blob of binary data that deobfuscated and being\r\nsent to \"eval\" function which executes it:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 6 of 14\n\nA quick trick to analyze it is to comment out the \"eval\" function and write the content to a file instead:\r\nwe've got another obfuscated code, deobfuscating it (removing junk comments, junk variables and a indenting):\r\nSo what we've got here? Another Javascript layer that resizes the window to zero and hide it in the corner, creates\r\na Powershell variable and initialize it with Powershell code that decodes a big blob of base64 and executes it with\r\n\"iex\" (\"iex\" of Powershell = \"eval\" of Javascript and more languages). decoding the Powershell blob:\r\nAnd we've got another obfuscated Powershell layer 😒:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 7 of 14\n\nDeobfuscating:\r\nSo what this code is doing is define a big blob of shellcode inside the $sc32 variable, calling VirtualAlloc to\r\nallocate virtual memory in the current process (which is still Powershell.exe), copying the shellcode to it using\r\nmemset and then executing it using CreateThread .\r\nAnalyzing The Shellcode\r\nThe shellcode is PIC (position independent code), thus has no imports, thus has to find the needed imports by\r\nitself, and it does it by the known reflective loading method (explained here, and in more other places). first it\r\nnavigates to the PEB to get the address of Kernel32.dll:\r\nAfter retrieving the LoadLibraryA and GetProcAddress addresses from Kernel32.exe, it can resolve all the rest\r\nof the calls it need.\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 8 of 14\n\nSo it loads Advapi32.dll (a library which contains all the registry API):\r\nAnd then reads an the encrypted Kovter main payload that was written to the registry:\r\nDecrypts it in memory, and executes it!\r\nMain Activity\r\nThis main Kovter payload responsible for injecting itslef to Regsvr32.exe, which injects itself to another instance\r\nof Regsvr32.exe.\r\nSo in order to cut to the chase, i located the injected decrypted Kovter PE using Process Hacker in Regsvr32.exe:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 9 of 14\n\nAnd dumped it with Pe-Sieve:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 10 of 14\n\nThe dumped PE is unpacked finally:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 11 of 14\n\nAnd here is all of its imports:\r\nKovter uses Thread Hijacking technique to injects itself:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 12 of 14\n\nAnd here is the functionality for the click-fruad activity:\r\nIt uses a long list of IP's and URL's:\r\nThe first 2 lines contain the C2 address:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 13 of 14\n\nFinal Words\r\nFor my opinion, Kovter is one of the toughest, sophisticatest and hard-to-analyze malwares i have seen.\r\nIt uses tons of tricks like lolbins, bugs, injections, insane persistence chain, and it lives totally in the registry.\r\nMonths after my analysis i encountered this great \"KOVTER UNCOVERED\" paper which taught me some other\r\nstuff on Kovter.\r\nAnd here, i found John Hammond getting knocked by it as well 😆.\r\nHope you enjoyed :)\r\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md" ], "report_names": [ "Kovter.md" ], "threat_actors": [ { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2421f8bfea6044c540492efddf6b69ae54d74f8.pdf", "text": "https://archive.orkl.eu/a2421f8bfea6044c540492efddf6b69ae54d74f8.txt", "img": "https://archive.orkl.eu/a2421f8bfea6044c540492efddf6b69ae54d74f8.jpg" } }