Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured.

Ransomware Evolution

The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word in quotations marks because their first attempt at including code that demanded payment was ineffective. These initial attempts were malicious JS email attachments that would only change Windows file extensions on the victim’s computer to “.crypted”. Below is a screenshot of an early ransom note.

initial_ransomware_instructions

An example of the ransomware instructions seen in earlier attempts.

Then in March of 2016, we saw a shift to actual file encryption by utilizing XOR on the first 2048 bytes of the files. In April, the threat actors shifted again with the use of 7zip, a legitimate archiving utility, to encrypt files with a static key. The actors then in June 2016 started distributing a PHP interpreter with a script to encrypt the files. A fantastic writeup on the PHP method used by these actors can be found here. They finally shift to utilizing the full blown ransomware family, Locky, in late October 2016.

locky_encrypted_desktop

A desktop infected with Locky ransomware now being spread with Kovter.

One analysis artifact that distinguishes Locky campaigns in the wild is the use of an affiliate identification number that gets hardcoded in to every Locky infector build. Locky affiliates 1 & 3 are the most commonly seen affiliate IDs in spam campaigns, albeit from the Necurs botnet (an x86 bootkit that contains spam modules). This differs from the Locky affiliates 23 & 24 that we are currently seeing being distributed with Kovter in that distribution relies on a botnet that utilizes compromised websites for spamming.

Sample Campaign

Spam messages containing lures that eventually download Kovter usually contain verbiage of missed package deliveries, as seen in the message sample below.

initial_lure

By viewing the headers of this malicious spam message, we can see that the message appears to be originating from a compromised Joomla website based on the directory structure of the sending script that the webserver prepended to the messages. Depending on server configuration, some webservers will add the lines seen in the snippet below when email is sent using the PHP mail() function call.

phpheaders

PHP email headers contain Joomla CMS path.

The ZIP archive attached to the email contains an obfuscated JScript file that is capable of downloading Kovter and the Locky ransomware loaders.

zipcontents

Zip attachment contains malicious JS downloader.

In an effort to defeat malware sandboxes, this initial JScript file sleeps for at least 5 minutes, then writes another obfuscated JScript file to the folder %TMP% and executes it using the WScript.Run method. The %TMP% is a Windows environment variable placeholder for the C:\Users\{user}\AppData\Local\Temp\ directory. The resulting, de-obfuscated JScript file runs the ping command in another effort to exceed sandbox timeouts, then downloads two binaries from gatheringmd[.]top, writing them to %TMP% and executes them, as seen in the code snippet below.

jsdeobs

De-obfuscated JScript that downloads two binaries and executes them both.

The Windows executable 24.exe downloaded from hxxp://gatheringmd[.]top/cb/l2[.]php is an NSIS-packed executable for the Kovter ad fraud trojan loader. Kovter is a “fileless” trojan that stores itself in the Windows registry for persistence and antivirus evasion. Upon execution, the trojan checks in with a command and control location that contains a URL path usually ending in upload.php or upload2.php, sending infected machine information such as the operating system version, service pack level, and the system architecture, and whether any known security programs were detected. Kovter will also check for and install the latest version of Internet Explorer Adobe Flash browser plugin, and .Net frameworks.

The Kovter trojan will then generate web traffic hidden from the victim’s desktop. The malware actors craft search terms, injecting them in to browser sessions with their malware that “clicks” on advertisements that generate revenue through pay-per-click models. We won’t dive too deep in to Kovter analysis since it has been well-documented already here (PDF) and here (PDF). Configuration data, seen in Table 1 below, is easily extracted from memory while the trojan is running.

Table 1: Kovter configuration for sample 0d01517ad68b4abacb2dce5b8a3bd1d0
cp1
(IP Addresses – please see Indicators of Compromise section below)
cp1cptm
30
cptmkey
a7887cc809cf0d4df17fc5dafd03e4e7 – MD5 of “smooth”
keypass
65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097
passdebug
False
debugelg
True
elgdl_sl
False
dl_slb_dll
False
b_dllnonul
hxxp://185.117.72[.]90/upload2[.]php
nonuldnet32
hxxp://download.microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
dnet32dnet64
hxxp://download.microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
dnet64pshellxp
hxxp://download.microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
pshellxppshellvistax32
hxxp://download.microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86[.]msu
pshellvistax32pshellvistax64
hxxp://download.microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64[.]msu
pshellvistax64pshell2k3x32
hxxp://download.microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
pshell2k3x32pshell2k3x64
hxxp://download.microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
pshell2k3x64cl_fv
20
cl_fvfl_fu
hxxps://fpdownload.macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_22_active_x[.]exe
fl_fumainanti
DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:hxxp://185.117.72[.]90/upload[.]php:al::mainanti

The other Windows executable 23.exe that is downloaded form hxxp://gatheringmd[.]top/ll/l1[.]php is the loader for Locky ransomware. Locky is written in Visuall C++ and contains hard-coded IP addresses for command and control callbacks, although some versions of Locky do not require the victim to have Internet connectivity to start the file encryption process. The following table includes the configuration data we found in this campaign.

Table 2: Locky configuration for sample f3d935f9884cb0dc8c9f22b44129a356
Affiliate ID
23
Key
RSA1
RSA Key ID
711
RSA Key Size
114 (bytes)
DGA Seed
90577
Execution Delay
None
Svchost Process Persistence
Disabled
Registry Persistence
Disabled
Ignore Russian Computers
Enabled
C2 Callback URL Path
/message.php
C2 Callback Servers
109.234.35[.]230 176.103.56[.]119

 

Conclusion

Distributors behind Kovter are constantly evolving their ransomware game. We can only speculate why these malware actors would “burn” their foothold on an infected machine where they have also placed profitable ad fraud code. Perhaps the return on investment is much higher with ransomware and preferable to standing up the infrastructure and money laundering channels required for conducting ad fraud. PhishMe Intelligence customers can view more details about this threat in ID 7409.

This specific email template is available in PhishMe Simulator to use in your own scenarios.

 

How susceptible is your organization to phishing threats? Download our latest Phishing Susceptibility and Resiliency Report to learn how reporting phishing can greatly improve your organization’s security posture.

Indicators of Compromise

..:: Email Subject Lines
Courier was unable to deliver the parcel, ID{rand}
Delivery Notification, ID {rand}
Problem with parcel shipping, ID:{rand}
Problems with item delivery, n.{rand}
Shipment delivery problem #{rand}
Unable to deliver your item, #{rand}
We could not delivery your parcel, #{rand}
Fedex parcel #{rand} delivery problem
Notification status of your delivery (FedEx {rand})
Parcel ID{rand} delivery problems, please review
Parcel {rand} delivery notification, USPS
USPS parcel #{rand} delivery problem

 

..:: File Hashes
Filename
MD5 Checksum
Type
23.exe
f3d935f9884cb0dc8c9f22b44129a356
Locky
24.exe
0d01517ad68b4abacb2dce5b8a3bd1d0
Kovter
details_AneLU.zip
bb84729c02b898b7aeef6b65c119f0c4
Attachment
details_bkxeL.js
10c1be3b95fa013458081d19747bc0df
JSDownloader
details_cOBYkk.zip
cc095bc05e61a0b373671e6f80f72686
Attachment
details_CRFuvd.zip
c9cf8185d1168b0712e532a6a7d88fe9
Attachment
details_dFTHp.zip
5ad3fec19d0723532dea49a2ccc3ea9c
Attachment
details_FyReR.zip
f2284d51a3daffcb12ff91f57601c246
Attachment
details_LKXcNI.js
a811a54525161017e5ac1f85b83d2758
JSDownloader
details_MGStju.zip
ab5540f78e67fd196c1be1dfd3612947
Attachment
details_mSplK.js
cdacbaf9b13333ac264b798797432391
JSDownloader
details_pKvHWv.js
17d0d6d8176e01e92f74b9ce08ba188b
JSDownloader
details_PpxpD.zip
320151d35fd61ef1b17f8fe921c4beef
Attachment
details_rqpOqK.zip
f30d21a5c882dbdb011b361a5cba67a4
Attachment
details_shHih.js
111af7977728443aa268479a87c29656
JSDownloader
details_XCFvfh.js
b4179c5a075fed9b606e9b7f068dca4c
JSDownloader
details_XHZms.zip
c3e012a26c9fee9ff72bddf413f74f52
Attachment
details_YAVSi.zip
e0cabfc058cc4d6ff2419743a79f6b1a
Attachment
details_ZHewkz.zip
f7a7d41def5a90ed504581edf719c079
Attachment
details_zZcSMY.js
d2096cc86d4d89904316caca5b2242f9
JSDownloader
doc-details_cLOFYn.js
035caab39c0cbe55e59a78ce6cb8e3f7
JSDownloader
doc-details_CPwxGO.js
ab4ed724a82100735195d8767afec999
JSDownloader
doc-details_dNqBy.js
81a37ce8dc207d6adfe99fe4f29790ac
JSDownloader
doc-details_FUCxwj.js
963fa75b2d36b525df79c89bb6674c57
JSDownloader
doc-details_gfSxM.zip
f79543458f14e4fd05077f497e5b3b6c
Attachment
doc-details_hKuupX.js
72940493157e8313f53f40ecb0cc8999
JSDownloader
doc-details_hZpjC.js
acf53f8fedb0c9e7c717f17b24c2bd40
JSDownloader
doc-details_LamGu.js
a76c99d8e8e1fb61c80751a3b86b0161
JSDownloader
doc-details_qHpxP.zip
f5e55dd9c3f1258792940e6d44ff69e6
Attachment
doc-details_xMSZnv.zip
4615a66cff28ab1993d1cf1767012fa2
Attachment
doc-details_ysKya.zip
5af53a61146d95ff3cd4906998d5a3dc
Attachment
docinformation_chckfG.zip
53da2b40b05311ebf1c96d1390e498c5
Attachment
docinformation_eiBUR.js
0fdbf59914be1d61b2ebea804681a06d
JSDownloader
docinformation_fobWte.zip
de92d06890c4c036059805eb76cf6932
Attachment
docinformation_gFsaxs.js
f3bb12d7fd0512075154b68f748b106c
JSDownloader
docinformation_hYBnW.js
fa99be4f0cf635cf5ab27c8d9cdb737c
JSDownloader
docinformation_jwmOKD.zip
397985be48b08034596b74f3258f4be8
Attachment
docinformation_KxARw.js
5b4dd2f0077cb49626ea0fc4b28042e6
JSDownloader
docinformation_LyIGo.zip
f137879fd5f1b616e5468f2940a72670
Attachment
docinformation_tfFVrb.zip
a1e2571d4a9a9adc0e43a844e24f4b9a
Attachment
docinformation_UKqiN.js
d27d0caa0998f3d55a3742410849af0e
JSDownloader
docinformation_vvfUNP.zip
68c80b0764dae51a444798e84b7d567c
Attachment
document_aCBltX.zip
7835b9b6460756b69421b4ad9ee4d460
Attachment
document_bgFtst.js
33a195f89bc70f47d0b3531b6929cacc
JSDownloader
document_gDhkHi.js
1a0897eb182ce799950844870003bffb
JSDownloader
document_GZrswr.zip
6b51f7dc3d01e1e1d80e663251e826c0
Attachment
document_NpkFE.js
c17fd226efc58df20d61e98799728b9e
JSDownloader
document_Rgvjf.js
060d4ecd9101dec77ef2ff932682660c
JSDownloader
document_xSdOeE.zip
85a93ae756b903c27dc348a566a05bda
Attachment
info_aaRda.js
d3902306e1a94fa58670c93db5565a9e
JSDownloader
info_EkuERW.zip
489ec3212a4ff602a0d44296913468c3
Attachment
info_LUTTy.js
90023223eb47013711919de9dcd5dd07
JSDownloader
info_SCfca.zip
8ef1cc722479c09ab067be9caa130113
Attachment
info_wKfhS.zip
07362becf09c43f14ff6bd112c117176
Attachment
letter_cjJeHL.zip
7b72a9ceec70a30b0dbb7cc0a4b2e202
Attachment
letter_DsrtV.zip
1715cc68bd8fc453415ecf39ede93cd6
Attachment
letter_kNYHrR.zip
3d698ce90f48b585bd932521c065cda6
Attachment
letter_OjWlc.zip
3a13e6f6846a5a1722e8b266ceae8dd6
Attachment
letter_QnBTi.zip
4cbc25dcbf08de24ee87bcc119f6c16f
Attachment
letter_RfVviz.zip
0cfc0aec33a7bdbffa53895c9cd7fb57
Attachment
letter_VuHASr.js
100a19a7278820886461ca509ec1c993
JSDownloader
letter_YKkPE.js
ed12fead265edfe0152f27dae6078212
JSDownloader
post_info_asgHE.zip
d60c838a51236ac585013a8f807b7569
Attachment
post_info_bwJbDR.js
e47f9353f491581e46e46647a357c93c
JSDownloader
post_info_CeZZu.js
a363de2b167ac355a0f93888b5e04a6b
JSDownloader
post_info_cGuqm.zip
cdee553957fb83a40f7b14eba0a41ed0
Attachment
post_info_CsbYG.zip
f5af5b7834bda884188490452c2c85e6
Attachment
post_info_CzRrE.zip
1567ed8c60a92e2ff8678432ad083a4d
Attachment
post_info_FvdXc.js
b50585cc02304fc4e3238b4d2e071178
JSDownloader
post_info_KsELg.js
0b28a46cd55c859e2bc42d5ed48a3f0d
JSDownloader
post_info_MSGDE.js
e0f23f5e0403c2a3de0cfde2fe89938d
JSDownloader
post_info_pJtOt.js
e8e093060c70372ef942f89633d9bd0c
JSDownloader
post_info_tuOxpr.js
8da38959402c894db8e55b01fd6ffb6b
JSDownloader
post_info_xXWwy.js
be900919c08a6f9e15dbc88f9a8bc91f
JSDownloader
warning-letter_equIH.zip
31ae173517f1c3b95c2eae4e7b546c9a
Attachment
warning-letter_IcDwG.js
7afa14b7941098c48d88ba8befa926cc
JSDownloader
warning-letter_IoBWF.js
412d93a1600236b226784e6011399dc2
JSDownloader
warning-letter_ojIjtc.zip
749a7c139690a6b527800fbccd4066f9
Attachment
warning-letter_PNEIi.zip
dc6f872e1f5caea1d29a48b9f183de40
Attachment
warning-letter_rAvJv.js
dfe0d32610330f32747da3551b3b722f
JSDownloader
warning-letter_ShAAZ.zip
e9d953fb3dc52364d71674c3b1aa8b9d
Attachment
warning-letter_swXcEq.js
3987c2d03042dee1bf5f90127dc8dc0d
JSDownloader
warning-letter_tjTfks.zip
992b864fa761ff7ae3ae114f1c0b3237
JSDownloader
warning-letter_ZHsTF.js
8078316a13c0139c4b8472dc53cff718
JSDownloader
warning-letter_ZoikPb.zip
316b7e8bb7bb773aa8a6ad47c6953e4f
Attachment
watch_it_CdJex.js
5ae36d68911396dd7c0bf9ef674e25d0
JSDownloader
watch_it_dZpLi.zip
f5ddcfb1545a1af403131d115cf04ce6
JSDownloader
watch_it_GCzQN.js
be44dd6023c9ea40e82369272bb933d2
JSDownloader
watch_it_JNHNs.zip
d997419f7348c2e45e3fff33ed66985f
Attachment
watch_it_KgDcbd.zip
80fc86862e21d7022743b1b388334bbe
Attachment
watch_it_lRqvTG.js
7ac74145aa485acf711df23e2d3ed6ec
JSDownloader
watch_it_odoRqP.js
2dfe5e49862d57ac1f5c510f0568afd2
JSDownloader
watch_it_sOqdK.js
b0cd17c7ecddfc176adb089948f5703e
JSDownloader
watch_it_udGEp.zip
3277afcde8d2dd473d3da61c0a4b0b61
Attachment
watch_it_VuCwU.js
35f36d821794c5951dd4a29fd326b379
JSDownloader
watch_it_WeOiwi.js
8f3e35cead2b76bfb0bfbeb9783101c1
JSDownloader
watch_it_wiaSit.js
1c5a1719337b72562a9e09f51c44b088
JSDownloader
watch_it_wJInBR.zip
eb34a9e90d3ec4a8e358d69a006ebf2c
Attachment
watch_it_WkuTs.js
a9cdf2f2e946f32bde8054167c49f025
JSDownloader
watch_it_YKqLr.zip
ecc2e62e42ea24134b9522e2c3b4df5e
Attachment

 

..:: 2nd Stage Downloads
gatheringmd[.]top
post-us-post[.]com
46_22_220_32:80 23_94_62_145:80 81_22_255_154:80 107_182_132_63:80 23_94_62_145:80 107_182_132_63:80 200_63_47_104:80 146_0_77_17:80 185_159_37_58:80

 

..:: Kovter C2
148_40_209_32:443 46_137_116_87:55583 22_73_46_193:80 14_154_83_169:80 114_88_78_247:80 213_3_143_182:443 35_221_138_66:443 110_111_98_226:8080 196_247_15_241:443 78_255_84_160:443 174_19_1_252:443 193_210_13_80:80 197_114_101_80:80 62_189_35_159:443 232_100_152_247:443 81_69_85_164:80 253_83_248_253:8080 3_190_33_15:80 168_212_129_14:80 53_76_226_88:80 65_79_26_56:40287 107_125_248_16:443 245_98_91_242:80 93_177_208_107:443 121_64_65_135:443 117_211_70_204:80 122_170_4_36:443 140_117_148_158:443 202_56_225_2:443 27_49_39_8:80 203_115_105_245:80 89_205_122_234:443 203_130_238_149:443 190_225_246_67:443 49_231_177_206:443 182_180_65_173:443 83_221_198_77:80 197_45_165_116:443 199_13_13_225:443 176_76_193_169:80 36_158_188_126:80 109_218_67_61:80 3_182_133_67:80 233_183_17_47:80 206_246_145_219:80 213_140_36_150:8080 127_186_211_59:80 100_167_18_166:80 88_169_155_220:8080 198_163_233_245:53859 184_235_184_147:80 141_32_231_36:443 102_221_40_161:80 139_73_39_50:80 126_218_200_91:80 161_33_105_138:443 144_66_2_72:80 197_212_244_173:8080 19_213_113_180:31441 252_18_46_42:59404 9_241_234_207:80 12_56_29_34:80 94_35_16_52:443 41_149_219_114:55592 177_226_92_155:443 88_172_13_130:8080 22_115_39_228:80 50_29_34_83:80 128_118_243_179:8080 215_220_243_179:80 155_100_49_247:80 80_172_28_209:22358 68_14_23_73:27750 51_107_147_23:80 10_158_103_224:21315 90_148_200_244:80 236_246_8_60:58866 36_13_138_86:443 152_108_154_216:80 5_107_180_239:443 190_142_217_159:80 52_51_208_40:80 201_21_34_209:80 196_244_93_79:80 174_230_181_72:80 84_77_42_9:443 157_199_202_119:80 210_170_153_163:80 196_108_230_229:8080 55_169_50_147:80 66_223_50_137:39390 133_214_199_142:443 101_85_221_219:80 176_133_85_83:443 25_191_61_253:80 167_47_7_159:37972 72_126_220_209:443 98_167_227_239:80 72_69_152_35:443 167_84_156_254:31354 91_59_106_88:80 18_135_180_177:443 251_47_14_204:80 112_116_47_96:80 119_164_199_154:80 17_66_247_172:443 100_8_122_206:80 40_223_230_220:80 24_215_191_38:80 11_149_25_58:443 176_152_16_75:31249 32_140_52_204:80 152_211_70_103:443 110_70_26_74:80 49_33_150_86:8080 161_234_222_218:443 39_139_120_54:8080 180_86_98_232:8080 45_128_245_115:80 224_45_66_42:26359 115_75_153_200:80 58_179_237_21:80 21_159_10_74:80 189_160_214_166:80 4_38_183_118:443 223_86_58_34:80 62_148_201_215:80 217_17_17_199:80 162_219_197_172:80 58_106_196_16:80 134_19_54_62:80 67_30_222_124:80 94_186_211_39:80 49_255_162_65:80 199_227_162_140:443 199_198_249_140:80 9_18_232_63:8080 114_129_109_80:80 173_183_127_212:46778 175_212_234_239:80 177_211_61_62:443 4_4_92_143:80 101_161_194_163:8080 37_93_132_34:28109 50_217_135_6:80 54_218_12_38:80 189_249_177_251:80 181_255_183_68:80 28_229_155_191:8080 206_227_51_83:8080 59_132_223_193:80 1_247_100_13:80 216_202_23_138:80 114_63_197_42:443 157_69_104_57:80 62_8_232_112:80
hxxp://185.117.72[.]90/upload[.]php
hxxp://185.117.72[.]90/upload2[.]php

 

PhishMe is a Finalist in 4 Categories for the 13th Annual 2017 Info Security PG's Global Excellence Awards
With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Leave a Reply