Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured.

Ransomware Evolution

The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word in quotations marks because their first attempt at including code that demanded payment was ineffective. These initial attempts were malicious JS email attachments that would only change Windows file extensions on the victim’s computer to “.crypted”. Below is a screenshot of an early ransom note.

Then in March of 2016, we saw a shift to actual file encryption by utilizing XOR on the first 2048 bytes of the files. In April, the threat actors shifted again with the use of 7zip, a legitimate archiving utility, to encrypt files with a static key. The actors then in June 2016 started distributing a PHP interpreter with a script to encrypt the files. A fantastic writeup on the PHP method used by these actors can be found here. They finally shift to utilizing the full blown ransomware family, Locky, in late October 2016.

One analysis artifact that distinguishes Locky campaigns in the wild is the use of an affiliate identification number that gets hardcoded in to every Locky infector build. Locky affiliates 1 & 3 are the most commonly seen affiliate IDs in spam campaigns, albeit from the Necurs botnet (an x86 bootkit that contains spam modules). This differs from the Locky affiliates 23 & 24 that we are currently seeing being distributed with Kovter in that distribution relies on a botnet that utilizes compromised websites for spamming.

Sample Campaign

Spam messages containing lures that eventually download Kovter usually contain verbiage of missed package deliveries, as seen in the message sample below.

By viewing the headers of this malicious spam message, we can see that the message appears to be originating from a compromised Joomla website based on the directory structure of the sending script that the webserver prepended to the messages. Depending on server configuration, some webservers will add the lines seen in the snippet below when email is sent using the PHP mail() function call.

The ZIP archive attached to the email contains an obfuscated JScript file that is capable of downloading Kovter and the Locky ransomware loaders.

In an effort to defeat malware sandboxes, this initial JScript file sleeps for at least 5 minutes, then writes another obfuscated JScript file to the folder %TMP% and executes it using the WScript.Run method. The %TMP% is a Windows environment variable placeholder for the C:Users{user}AppDataLocalTemp directory. The resulting, de-obfuscated JScript file runs the ping command in another effort to exceed sandbox timeouts, then downloads two binaries from gatheringmd[.]top, writing them to %TMP% and executes them, as seen in the code snippet below.

The Windows executable 24.exe downloaded from hxxp://gatheringmd[.]top/cb/l2[.]php is an NSIS-packed executable for the Kovter ad fraud trojan loader. Kovter is a “fileless” trojan that stores itself in the Windows registry for persistence and antivirus evasion. Upon execution, the trojan checks in with a command and control location that contains a URL path usually ending in upload.php or upload2.php, sending infected machine information such as the operating system version, service pack level, and the system architecture, and whether any known security programs were detected. Kovter will also check for and install the latest version of Internet Explorer Adobe Flash browser plugin, and .Net frameworks.

The Kovter trojan will then generate web traffic hidden from the victim’s desktop. The malware actors craft search terms, injecting them in to browser sessions with their malware that “clicks” on advertisements that generate revenue through pay-per-click models. We won’t dive too deep in to Kovter analysis since it has been well-documented already here (PDF) and here (PDF). Configuration data, seen in Table 1 below, is easily extracted from memory while the trojan is running.

The other Windows executable 23.exe that is downloaded form hxxp://gatheringmd[.]top/ll/l1[.]php is the loader for Locky ransomware. Locky is written in Visuall C++ and contains hard-coded IP addresses for command and control callbacks, although some versions of Locky do not require the victim to have Internet connectivity to start the file encryption process. The following table includes the configuration data we found in this campaign.

Conclusion

Distributors behind Kovter are constantly evolving their ransomware game. We can only speculate why these malware actors would “burn” their foothold on an infected machine where they have also placed profitable ad fraud code. Perhaps the return on investment is much higher with ransomware and preferable to standing up the infrastructure and money laundering channels required for conducting ad fraud. PhishMe Intelligence customers can view more details about this threat in ID 7409.

This specific email template is available in PhishMe Simulator to use in your own scenarios.

How susceptible is your organization to phishing threats? Download our latest Phishing Susceptibility and Resiliency Report to learn how reporting phishing can greatly improve your organization’s security posture.

Indicators of Compromise

..:: Email Subject Lines
Courier was unable to deliver the parcel, ID{rand}
Delivery Notification, ID {rand}
Problem with parcel shipping, ID:{rand}
Problems with item delivery, n.{rand}
Shipment delivery problem #{rand}
Unable to deliver your item, #{rand}
We could not delivery your parcel, #{rand}
Fedex parcel #{rand} delivery problem
Notification status of your delivery (FedEx {rand})
Parcel ID{rand} delivery problems, please review
Parcel {rand} delivery notification, USPS
USPS parcel #{rand} delivery problem

..:: File Hashes

..:: 2nd Stage Downloads
gatheringmd[.]top
post-us-post[.]com
46_22_220_32:80 23_94_62_145:80 81_22_255_154:80 107_182_132_63:80 23_94_62_145:80 107_182_132_63:80 200_63_47_104:80 146_0_77_17:80 185_159_37_58:80

..:: Kovter C2
148_40_209_32:443 46_137_116_87:55583 22_73_46_193:80 14_154_83_169:80 114_88_78_247:80 213_3_143_182:443 35_221_138_66:443 110_111_98_226:8080 196_247_15_241:443 78_255_84_160:443 174_19_1_252:443 193_210_13_80:80 197_114_101_80:80 62_189_35_159:443 232_100_152_247:443 81_69_85_164:80 253_83_248_253:8080 3_190_33_15:80 168_212_129_14:80 53_76_226_88:80 65_79_26_56:40287 107_125_248_16:443 245_98_91_242:80 93_177_208_107:443 121_64_65_135:443 117_211_70_204:80 122_170_4_36:443 140_117_148_158:443 202_56_225_2:443 27_49_39_8:80 203_115_105_245:80 89_205_122_234:443 203_130_238_149:443 190_225_246_67:443 49_231_177_206:443 182_180_65_173:443 83_221_198_77:80 197_45_165_116:443 199_13_13_225:443 176_76_193_169:80 36_158_188_126:80 109_218_67_61:80 3_182_133_67:80 233_183_17_47:80 206_246_145_219:80 213_140_36_150:8080 127_186_211_59:80 100_167_18_166:80 88_169_155_220:8080 198_163_233_245:53859 184_235_184_147:80 141_32_231_36:443 102_221_40_161:80 139_73_39_50:80 126_218_200_91:80 161_33_105_138:443 144_66_2_72:80 197_212_244_173:8080 19_213_113_180:31441 252_18_46_42:59404 9_241_234_207:80 12_56_29_34:80 94_35_16_52:443 41_149_219_114:55592 177_226_92_155:443 88_172_13_130:8080 22_115_39_228:80 50_29_34_83:80 128_118_243_179:8080 215_220_243_179:80 155_100_49_247:80 80_172_28_209:22358 68_14_23_73:27750 51_107_147_23:80 10_158_103_224:21315 90_148_200_244:80 236_246_8_60:58866 36_13_138_86:443 152_108_154_216:80 5_107_180_239:443 190_142_217_159:80 52_51_208_40:80 201_21_34_209:80 196_244_93_79:80 174_230_181_72:80 84_77_42_9:443 157_199_202_119:80 210_170_153_163:80 196_108_230_229:8080 55_169_50_147:80 66_223_50_137:39390 133_214_199_142:443 101_85_221_219:80 176_133_85_83:443 25_191_61_253:80 167_47_7_159:37972 72_126_220_209:443 98_167_227_239:80 72_69_152_35:443 167_84_156_254:31354 91_59_106_88:80 18_135_180_177:443 251_47_14_204:80 112_116_47_96:80 119_164_199_154:80 17_66_247_172:443 100_8_122_206:80 40_223_230_220:80 24_215_191_38:80 11_149_25_58:443 176_152_16_75:31249 32_140_52_204:80 152_211_70_103:443 110_70_26_74:80 49_33_150_86:8080 161_234_222_218:443 39_139_120_54:8080 180_86_98_232:8080 45_128_245_115:80 224_45_66_42:26359 115_75_153_200:80 58_179_237_21:80 21_159_10_74:80 189_160_214_166:80 4_38_183_118:443 223_86_58_34:80 62_148_201_215:80 217_17_17_199:80 162_219_197_172:80 58_106_196_16:80 134_19_54_62:80 67_30_222_124:80 94_186_211_39:80 49_255_162_65:80 199_227_162_140:443 199_198_249_140:80 9_18_232_63:8080 114_129_109_80:80 173_183_127_212:46778 175_212_234_239:80 177_211_61_62:443 4_4_92_143:80 101_161_194_163:8080 37_93_132_34:28109 50_217_135_6:80 54_218_12_38:80 189_249_177_251:80 181_255_183_68:80 28_229_155_191:8080 206_227_51_83:8080 59_132_223_193:80 1_247_100_13:80 216_202_23_138:80 114_63_197_42:443 157_69_104_57:80 62_8_232_112:80
hxxp://185.117.72[.]90/upload[.]php
hxxp://185.117.72[.]90/upload2[.]php