- Whenever the system is rebooted, the following actions are performed:
- The LNK file is executed by the operating system from startup folder
- The LNK file executes the BAT file
- The BAT file starts the file with the 331aa3f extension
- The 331aa3f extension registry value forwards to the 33eb18 extension registry value
- Shell | Open | Command is executed, and the first malicious script runs
This provides the malware with an opportunity to start automatically at system startup.
- As can be seen in the following screenshot, MSHTA is a legitimate Windows executable that supports running JavaScript files. This feature is frequently exploited by malware authors and used for running encoded/encrypted malicious JavaScript files to serve as the initial starting point for malware. See the following screenshot:
- In this instance, MSHTA is run with the JavaScript command-line parameter and executes the script seen in the following screenshot:
- This is an obfuscated JavaScript file, which provides access to the WScript.Shell object, enabling the malware author to read any registry value. Kovter uses multiple encoded/encrypted registry values, which can be seen in the following screenshot:
- Registry values ajel and zlrx are the most important of these values. The AJEL value is an obfuscated JavaScript file that is read by MSHTA and serves as the second stage of the attack. This stage contains PowerShell scripts as well, and reads the ZLRX registry value, which contains the last stage of the attack and injects this binary into a legitimate process (regsvr32.exe). This technique is referred to as Reflective-PE and, like the previous techniques used by malware authors, is quite difficult to detect and stop.
- The injection of a malicious binary into a legitimate process is known as Process Hollowing/RunPE and can be easily spotted by a modern anti-malware solution; however, Kovter uses a trickier technique and does not unmap the main module of regsvr32.exe -- which would allow anti-malware solutions to flag the process as suspicious. Rather, it injects the malicious module into address 0x280000, and the legitimate regsvr32.exe is kept at address 0xA50000 and is not unmapped by the malware author. See the following screenshot:
- Most modern malware destroys the PE header information, which is found at 0x280000 but this is not the case in this incident. The PE image at address 0x28000 is a Delphi-compiled executable (MZ - Pascal); Delphi is a popular programming language among malware authors due to its extensive native support and no third-party dependencies. See the following screenshot:
- Due to the suspicious string and a previous Kovter campaign, which used the Dark Comet RAT, we had initially believed that the sample may have been injecting Dark Comet RAT into regsvr32.exe; however, further analysis pointed us in the right direction. See the following screenshot:
- By reverse engineering the malicious binary from its actual starting point at address 0x02DB25F, we have observed a reference to LoadResource Windows API, which is used by a large percentage of malware for embedding configuration information after the malware is built and ready for a malware campaign. See the following screenshot:
- By dumping the malicious binary from memory we were able to restore the resources section of the malware, which appeared to be encrypted. See Figure 12:
- Upon further inspection, we have identified the format of encrypted resource data as follows:
- Offset 0x00: 16-bytes-long encryption key in reverse order (highlighted in the following screenshot)
- Offset 0x10: RC4-Encrypted / BASE64-encoded configuration file
