Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign
This stealthy and persistent ransomware also harvests your data
As tax season approaches, cybercriminals start getting ready to exploit every vulnerability in your system. And it all starts with a spam email.
Our team has recently analyzed a spam campaign that claims to be a refund notification from the IRS. And who wouldn’t want to know if they’re really getting a tax refund from the IRS?
But don’t let your curiosity get the best of you: not only is it a fake email, but it also carries plenty of danger within.
The spam email includes a .zip attachment. In that attachment, there is a .js file that will activate Windows PowerShell in order to download the primary payload as soon as the .zip file is opened.
Our team has analyzed the payload and discovered that there are multiple payload families involved. The primary payload appears to be Kovter, and the seconday one CoreBOT.
Tell me more about these payload families
Kovter is a Trojan whose primary use was performing click-fraud operations on the PCs it infected. But, earlier this year, Kovter was seen incorporating new cloaking tricks in order to evade detection. Its core assets: the ability to remain hidden and to persist for a longer period in the memory of the compromised machines.
When the new Kovter variant compromises a computer, the Trojan has the ability to reside only in the registry and not maintain a presence on disk. It accomplishes this by using registry tricks in an attempt to evade detection. The threat is also memory resident and uses the registry as a persistence mechanism to ensure it is loaded into memory when the infected computer starts up.
Source: Kovter malware learns from Poweliks with persistent fileless registry update via Symantec
In this case, Kovter delivers a ransomware strain that this analysis is based on, and also what the victim gets if he/she receives the infection coming from Scandinavia. It does so not by copying malicious files to the machine, but by using PowerShell to run the commands, which, in reality, are the payload.
Although Kovter is famous for its stealthiness, the attackers behind this spam wave seem to have traded this for a faster, higher return on investment. This is why they’re using it to spread ransomware instead.
As for CoreBOT, it’s yet another threat to be really worried about. This is a type of modular malware, which allows cybercriminals to build upon it. That’s why it has evolved from data-stealing malware to financial malware almost overnight earlier this year.
CoreBot differs from standard malware as the code allows the bolt-on of additional mechanisms, ranging from endpoint control and data theft modules to fresh exploits taking advantage of zero-day vulnerabilities.
[…] CoreBot now contains modules for Internet Explorer, Firefox and Google Chrome browser hooking and form grabbing, a virtual network computing (VNC) module for remote control, preconfigured URL triggers for targeting banks, a custom webinjection mechanism and the ability to pull on-the-fly webinjections from remote servers.
Source: CoreBot malware evolves overnight into virulent banking Trojan via ZDNet
How this spam campaign works
The unwanted email that seems to come from the IRS features the contents:
From: [spoofed / fake return address]
Subject Line: Payment for tax refund # 00 [6 random numbers]
Attached:
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js
If an unsuspecting user opens the attachment – and ignores several warnings – then the code will run on the machine with the privileges of the logged in user. If you’re using your admin account on a daily basis, this may prompt you to reconsider.
The Javascript known as “Nemucod” or “Swabfex” will retrieve Kovter. This is where Kovter differs from other ransomware variants because it systematically harvests data from the infected machine and sends it to a strip C & C, first-tier servers.
This strain of Kovter retains its fileless infection capabilities, and connects to the following domains in the first stage of the infection:
http:// ahmadhania [.]com
http:// hkcpafirm [.] com
http:// martenmini [.] com
The domains work as download servers and provide a .gif file, which in reality is a Win32PE. This uses mshta.exe to handle the WSH Javascript code. The first function called a “sleep mode“: sleep (40), after which the payload will begin to encrypt all the data files on the system and all available, connected drives.
The data extracted from the infected machine is sent via HTTP POST to 78.24.220 [.] 229 /upload.php with useragent: Mozilla / 4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident / 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E).
Then, CoreBOT will be bound using an API in Microsoft Windows to force a system shutdown: “InitiateSystemShutdownA”. This will complete the ransomware payload and leave the system in a state where all the data is overwritten and encrypted. The victim will then be prompted that the data can be restored by paying a ransom in Bitcoins.
The actual payload is saved to the Windows registry in an obfuscated form and is activated by a system restart.
For example: “\ REGISTRY \ MACHINE \ SOFTWARE \ FuzFdr” associated with the value instance. “QmJmHlOHN” and the payload “FwqVQEQig5KR4ZCEKwVnRO=”veM3sLfhkRfRSImy4bAB5mS3wsc”;XKya1RARQodtIalIFq=”DeR7nh79vOfjujJFQVLgs0CWs3upFYHjuXlh4jpBRQlbzE12p MCOZGOAbBvdeZtmFRPxNanMP0wRtFMqwQIRe2vfuiO004Lwgcj” [snip]. Note that values are created in the registry and dynamically generated.
We have already the effects that Kovter can have, but it was used primarily as an ad-fraud payload then. This type of behavior was observed and announced countless times when detecting infections that are not as easily spotted by traditional antivirus products.
Antivirus detection is very low, as you can see from the examples below:
http:// ahmadhania [.]com
Detection rate: 1/66 on VirusTotal
http:// hkcpafirm [.] com
Detection rate: 2/66 on VirusTotal
http:// martenmini [.] com
Detection rate: 3/66 on VirusTotal
How come spam emails like these still work?
Spam campaigns continue to be one of the main tactics that cybercriminals use to infect victims with malware of their choice. There are various reasons that motivate this decision, which we’ve analyzed in this article: How Malware Creators Use Spam to Maximize Their Impact.
The fact is that two characteristics work on behalf of cybercriminals: curiosity and lack of basic cybersecurity education. “What you don’t know can’t hurt you” and “ignorance is bliss” do not apply here. The less you know, the more exposed you are. So, as always, we strongly recommend educating oneself on the fundamental things you can do today protect your data.