Skip to content

Latest commit

 

History

History
105 lines (89 loc) · 7.41 KB

kovter.md

File metadata and controls

105 lines (89 loc) · 7.41 KB
Raw
ID X0009
Type Bot/Botnet (click-fraud), Trojan
Aliases None
Platforms Windows
Year 2016
Associated ATT&CK Software None

Kovter

A trojan that performs click-fraud.

ATT&CK Techniques

Name Use
Initial Access::Phishing::Spearphishing Attachment (T1566.001) The malware is sent out to victims via an attachment. [2]
Execution::User Execution::Malicious File (T1204.002) The malware relies on a victim to execute itself. [2]
Defense Evasion::System Binary Proxy Execution::Mshta (T1218.005) The malware uses mshta.exe to run Javascript. [1]
Defense Evasion::File and Directory Permissions Modification (T1222) Kovter sets file attributes. [3]
Discovery::Application Window Discovery (T1010) Kovter finds graphical windows. [3]
Discovery::System Location Discovery (T1614) Kovter gets geographical locations. [3]
Execution::Shared Modules (T1129) Kovter gets ntdll base address. [3]
Execution::System Services::Service Execution (T1569.002) Kovter interacts with drivers via control codes. [3]

Enhanced ATT&CK Techniques

Name Use
Impact::Generate Traffic from Victim (E1643) Kovter performs click-fraud. [1]
Persistence::Registry Run Keys / Startup Folder (F0012) The malware writes an autorun registry entry. [2]
Execution::Command and Scripting Interpreter (E1059) The malware executes malicious javascript and powershell. [1]
Defense Evasion::Modify Registry (E1112) The malware modifies the registry during execution. [2]
Defense Evasion::Obfuscated Files or Information (E1027) The malware will use a key to decrypt text from a URL to create additional malicious code. [1]
Anti-Static Analysis::Software Packing (F0001) The malware comes packed by a crypter/FUD. [1]
Collection::Keylogging::Polling (F0002.002) Kovter logs keystrokes via polling. [3]
Collection::Screen Capture::WinAPI (E1113.m01) Kovter captures screenshots. [3]
Discovery::Application Window Discovery::Window Text (E1010.m01) Kovter gets graphical window texts. [3]
Discovery::File and Directory Discovery::Log File (E1083.m01) Kovter accesses Windows event logs. [3]
Discovery::File and Directory Discovery (E1083) Kovter gets file version info. [3]
Discovery::System Information Discovery (E1082) Kovter gets disk information. [3]

MBC Behaviors

Name Use
Defense Evasion::Alternative Installation Location::Registry Install (B0027.002) Kovter stores malware files in the Registry instead of on the hard drive. [2]
Command And Control::C2 Communication::Send Data (B0030.001) Kovter sends data. [3]
Command And Control::C2 Communication::Receive Data (B0030.002) Kovter receives data. [3]
Communication::HTTP Communication::Connect to Server (C0002.009) Kovter connects to a HTTP server. [3]
Communication::HTTP Communication::Create Request (C0002.012) Kovter creates HTTP requests. [3]
Cryptography::Cryptographic Hash (C0029) Kovter hashes data via WinCrypt. [3]
Cryptography::Decrypt Data (C0031) Kovter encrypts or decrypts via WinCrypt. [3]
Cryptography::Encryption Key (C0028) Kovter creates new keys via CryptAcquireContext. [3]
File System::Copy File (C0045) Kovter copies files. [3]
File System::Create Directory (C0046) Kovter creates directories. [3]
File System::Delete Directory (C0048) Kovter deletes directories. [3]
File System::Delete File (C0047) Kovter deletes files. [3]
File System::Move File (C0063) Kovter moves files. [3]
File System::Read File (C0051) Kovter reads files on Windows. [3]
File System::Set File Attributes (C0050) Kovter sets file attributes. [3]
Operating System::Environment Variable::Set Variable (C0034.001) Kovter sets environment variables. [3]
Operating System::Registry::Create Registry Key (C0036.004) Kovter creates or opens registry keys. [3]
Operating System::Registry::Query Registry Value (C0036.006) Kovter queries or enumerates registry values. [3]
Process::Allocate Thread Local Storage (C0040) Kovter allocates thread local storage. [3]
Process::Create Mutex (C0042) Kovter creates mutexes. [3]
Process::Create Process (C0017) Kovter creates processes on Windows. [3]
Process::Set Thread Local Storage Value (C0041) Kovter sets thread local storage values. [3]
Process::Terminate Process (C0018) Kovter terminates processes. [3]

Indicators of Compromise

SHA256 Hashes

  • 15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589
  • bffe7ccbcf69e7c787ff10d1dc7dbf6044bffcb13b95d851f4a735917b3a6fdf
  • 40050153dceec2c8fbb1912f8eeabe449d1e265f0c8198008be8b34e5403e731

References

[1] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/

[2] https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem.

[3] capa v4.0, analyzed at MITRE on 10/12/2022