SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kovter (Back to overview)

Kovter

URLhaus    

Kovter is a Police Ransomware

Feb 2012 - Police Ransomware
Aug 2013 - Became AD Fraud
Mar 2014 - Ransomware to AD Fraud malware
June 2014 - Distributed from sweet orange exploit kit
Dec 2014 - Run affiliated node
Apr 2015 - Spread via fiesta and nuclear pack
May 2015 - Kovter become fileless
2016 - Malvertising campaign on Chrome and Firefox
June 2016 - Change in persistence
July 2017 - Nemucod and Kovter was packed together
Jan 2018 - Cyclance report on Persistence

References
2020-01-190x00secDan Lisichkin
@online{lisichkin:20200119:analyzing:1f21f30, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques - Part 1}}, date = {2020-01-19}, organization = {0x00sec}, url = {https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663}, language = {English}, urldate = {2020-01-27} } Analyzing Modern Malware Techniques - Part 1
Kovter
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-01-10} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2018-08-09Github (ewhitehats)eWhitehats
@techreport{ewhitehats:20180809:kovter:3181581, author = {eWhitehats}, title = {{Kovter Uncovered: Malware Teardown}}, date = {2018-08-09}, institution = {Github (ewhitehats)}, url = {https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf}, language = {English}, urldate = {2020-01-09} } Kovter Uncovered: Malware Teardown
Kovter
2017-08-18Trend MicroJohn Sanchez
@online{sanchez:20170818:kovter:31e1e79, author = {John Sanchez}, title = {{KOVTER: An Evolving Malware Gone Fileless}}, date = {2017-08-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless}, language = {English}, urldate = {2020-01-08} } KOVTER: An Evolving Malware Gone Fileless
Kovter
2016-07-14MalwarebytesMalwarebytes Labs
@online{labs:20160714:untangling:c16cc34, author = {Malwarebytes Labs}, title = {{Untangling Kovter’s persistence methods}}, date = {2016-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/}, language = {English}, urldate = {2019-12-20} } Untangling Kovter’s persistence methods
Kovter
2015-09-24SymantecSymantec Security Response
@online{response:20150924:kovter:9602c6b, author = {Symantec Security Response}, title = {{Kovter malware learns from Poweliks with persistent fileless registry update}}, date = {2015-09-24}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update}, language = {English}, urldate = {2020-01-13} } Kovter malware learns from Poweliks with persistent fileless registry update
Kovter
2015-01-08MalwarebytesJérôme Segura
@online{segura:20150108:major:064a2ab, author = {Jérôme Segura}, title = {{Major malvertising campaign spreads Kovter Ad Fraud malware}}, date = {2015-01-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/}, language = {English}, urldate = {2019-12-20} } Major malvertising campaign spreads Kovter Ad Fraud malware
Kovter
Yara Rules
[TLP:WHITE] win_kovter_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_kovter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945e8 33ff 43 81e3ff000080 7908 4b 81cb00ffffff }
            // n = 7, score = 600
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   33ff                 | xor                 edi, edi
            //   43                   | inc                 ebx
            //   81e3ff000080         | and                 ebx, 0x800000ff
            //   7908                 | jns                 0xa
            //   4b                   | dec                 ebx
            //   81cb00ffffff         | or                  ebx, 0xffffff00

        $sequence_1 = { 50 6a00 681f000f00 8d45c8 50 e8???????? }
            // n = 6, score = 600
            //   50                   | push                eax
            //   6a00                 | push                0
            //   681f000f00           | push                0xf001f
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { c3 55 8bec 83c49c 53 33c9 894df4 }
            // n = 7, score = 600
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c49c               | add                 esp, -0x64
            //   53                   | push                ebx
            //   33c9                 | xor                 ecx, ecx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_3 = { 8b5d0c 8b5304 8b03 e8???????? 8b4510 50 }
            // n = 6, score = 600
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   50                   | push                eax

        $sequence_4 = { c21000 55 8bec 8b450c 33d2 }
            // n = 5, score = 600
            //   c21000               | ret                 0x10
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   33d2                 | xor                 edx, edx

        $sequence_5 = { a1???????? b901000000 8b15???????? e8???????? 83c404 }
            // n = 5, score = 600
            //   a1????????           |                     
            //   b901000000           | mov                 ecx, 1
            //   8b15????????         |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_6 = { 0f92c0 84c0 7502 33db 46 4f }
            // n = 6, score = 600
            //   0f92c0               | setb                al
            //   84c0                 | test                al, al
            //   7502                 | jne                 4
            //   33db                 | xor                 ebx, ebx
            //   46                   | inc                 esi
            //   4f                   | dec                 edi

        $sequence_7 = { 83fbff 7433 8b45f8 e8???????? 8bf8 85ff }
            // n = 6, score = 600
            //   83fbff               | cmp                 ebx, -1
            //   7433                 | je                  0x35
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

        $sequence_8 = { 8b13 8d45f8 e8???????? 8d45f8 e8???????? 8b0b 8bd6 }
            // n = 7, score = 600
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   e8????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   e8????????           |                     
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bd6                 | mov                 edx, esi

        $sequence_9 = { 8d8500ffffff 50 56 e8???????? 8d85fcfeffff 8d9500ffffff b900010000 }
            // n = 7, score = 600
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   8d9500ffffff         | lea                 edx, [ebp - 0x100]
            //   b900010000           | mov                 ecx, 0x100

    condition:
        7 of them and filesize < 901120
}
Download all Yara Rules