Malware analysis - Analysing Kovter

​Today we are going to talk about analysing the Kovter malware. For those unfamiliar with Kovter, it gained fame in 2015 for being one of the more prominent attacks which utilised living of the land attacks.  Before we begin, there are several concepts which must be explained

1) living off the land – Living off the land refers to using native or signed scripts/binaries to further an attackers goal 

2) Sysmon – Sysmon refers to a tool created by Microsoft which enhances Microsoft wineventlog by providing addition logging based on event codes. It also allows for the customisation as it can ingests a XML with custom command which can monitor select files/ports as shown below 
​

Lab Setup
​

1. Splunk infrastructure

• Universal Forwarder helps to forward logs to the indexer. It is then searched from the search head 

1. Kovter Malware is run on Windows 10 virtual machine 
2. Sysmon installed on Windows 10 VM
3. Fakenet mimics the internet to prevent kovter from reaching command and control servers
4. No AV. We need Kovter to run without being
5. UAC disabled, need Kovter to run without being hindered​

​kovter overview

After sifting through the logs using splunk which were enhanced by SYSMON, I was able to come to the following conclusion. 

1. Kovter uses WMIprives (PID 2692) to launch mshta( PID 7824), unsure of how this is done. Could be command line or perhaps using WMI script. 
   
2. Powershell then downloads a script which runs in memory
   
3. I believe the script the runs regsvr32 (PID4740) which completes many tasks
   

3.1) Sets the value under HKU\S-1-5-21-3652906336-4086003666-492231068-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809 to 0x00000003. This allows pop ups on internet explorer

3.2)  Sets the value under HKU\S-1-5-21-3652906336-4086003666-492231068-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 to 0. This allows scripting of Internet explorers Web Browser security control

3.3) Places Malicious bat file in registry for persistence. This executes another mshta upon restart 

3.4 Write a separate registry entry which reads payload

Registry persistence and tricks

Kovter took advantage of Registry Jumping. File extension class .251b2fb data pointed to HKEY_USERS\S-1-5-21-3652906336-4086003666-492231068-1000_Classes\522960\shell\open\command which contained our malicious mshta command.

It also used extended characters to obstruct analysis

As you can see, the fields all appear to have data in the fields. However clicking on the value htavir (probably after hta virus, why though?) shows no data. In fact clicking and attempting to edit the box failed. After dumping the registry hive to disk and analysing, I believe the issue is this highlighted below:​

This extended character helps to stop analysts from  inputting any data and tampering with the payload 

Thanks for reading