Update: Kovter bot spreading over the weekend (again), bearing ‘toll debt’ notifications
Category : Threat Analysis
The Kovter bot initiated another malicious spam run over the weekend (25th July 2015). The malicious emails spread early morning Saturday. This wave is another effort from the Kovter bot to expand in the past few weeks. In this round, the emails claimed to be an “Indebted for driving on toll road #XXXXXXXXX” where the X’s are random numbers. Alerting on ‘toll debts’ is a known social engineering technique that has been utilised for malicious spam runs for quite a while; in this specific case, it was targeted towards E-ZPass users – a tolling system which is used mainly in the United States, Costa Rica and the Dominican Republic. The honeypot system that managed to alert on this infection was located in South Africa; the toll roads in South Africa utilise a different tolling system called e-toll.
We haven’t seen any mentions that a malicious advertising was utilised in conjunction with this email attack vector so far, like the one that MalwareBytes alerted had spread Kovter two weeks ago.
In this malicious spam run, Kovter used exactly the same infection and persistence techniques as described in our previous blog post. It included the download and silent install of the Windows Management Framework from Microsoft’s website and the download and install of the latest version of Adobe Flash player. The bot also appears to check-in to the same command and control server located at 18.104.22.168/upload.php .
But what is different this time? The initial infection URLs changed to a different set of compromised websites (indicator of compromise details are below).
Also, the bot now appears to utilise the Windows program regsvr32.exe to conduct process hollowing on (found on \windows\system32\regsvr32.exe).
(Full text of the email message is included to help with incoming web search of affected parties or researchers)
Indicators of Compromise
Registry Keys :
Threat Local Files:
%USERPROFILE%\Local Settings\Application Data\<random-alphabetical-name>\<same-random-alphabetical-name.exe>
Legitimate Local Folders & Files:
Command and Control URL:
Other Network Traffic Seen initiated by Kovter (not confirmed as malicious):