Update: Kovter bot spreading over the weekend (again), bearing ‘toll debt’ notifications

Update: Kovter bot spreading over the weekend (again), bearing ‘toll debt’ notifications

Category : Threat Analysis

The Kovter bot initiated another malicious spam run over the weekend (25th July 2015). The malicious emails spread early morning Saturday. This wave is another effort from the Kovter bot to expand in the past few weeks. In this round, the emails claimed to be an “Indebted for driving on toll road #XXXXXXXXX” where the X’s are random numbers. Alerting on ‘toll debts’ is a known social engineering technique that has been utilised for malicious spam runs for quite a while; in this specific case, it was targeted towards E-ZPass users – a tolling system which is used mainly in the United States, Costa Rica and the Dominican Republic. The honeypot system that managed to alert on this infection was located in South Africa; the toll roads in South Africa utilise a different tolling system called e-toll.

We haven’t seen any mentions that a malicious advertising was utilised in conjunction with this email attack vector so far, like the one that MalwareBytes alerted had spread Kovter two weeks ago.

In this malicious spam run, Kovter used exactly the same infection and persistence techniques as described in our previous blog post. It included the download and silent install of the Windows Management Framework from Microsoft’s website and the download and install of the latest version of Adobe Flash player. The bot also appears to check-in to the same command and control server located at 155.94.67.5/upload.php .

But what is different this time? The initial infection URLs changed to a different set of compromised websites (indicator of compromise details are below).

Also, the bot now appears to utilise the Windows program regsvr32.exe to conduct process hollowing on (found on \windows\system32\regsvr32.exe).

Like the previous wave, the malicious files have a very low Antivirus detection rate, which is around the %4 mark out of 55 engine scanned with VirusTotal 1 2 .

(Full text of the email message is included to help with incoming web search of affected parties or researchers)

Subject: Indebted for driving on toll road #XXXXXXXXX

Notice to Appear,

You have a debt to pay for using a toll road.
You are kindly asked to pay your debt as soon as possible.

You can find the invoice is in the attachment.

Sincerely,
Douglas Slater,
E-ZPass Support.


Indicators of Compromise

Infection URLs:

brigand-001-site2.smarterasp.net/document.php?rnd=9533&id=55565D5E0D0A020B24140116020B1609050A10054A070B09

www.alec.gr/document.php?rnd=9533&id=55565D5E0D0A020B24140116020B1609050A10054A070B09

readysetgomatthew.com/document.php?rnd=9533&id=55565D5E0D0A020B24140116020B1609050A10054A070B09

Initial File Hashes (for reference only, Kovter is polymorphic, hashes change regularly):
SHA1: fc917b3ae70c8bfa0774693ba3794f94442c6c40
SHA1: 182dd3949b272435a722a0811ab14b8e011a193a0

Registry Keys :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[]

Threat Local Files:
%USERPROFILE%\Local Settings\Application Data\<random-alphabetical-name>\<same-random-alphabetical-name.exe>

Legitimate Local Folders & Files:
%WINDIR%\system32\windowspowershell\
%WINDIR%\system32\winrm\
%WINDIR%\system32\WsmSvc.dll

Command and Control URL:
155.94.67.5/upload.php

Other Network Traffic Seen initiated by Kovter (not confirmed as malicious):
Pastebin link