Spike in Kovter Ad Fraud Malware Riding on Clever Macro Trick

October 20, 2016
Proofpoint Staff

Overview

On October 18, Proofpoint researchers detected an email campaign that used malicious Microsoft Word documents to distribute Kovter ad-fraud malware. The campaign described here is noteworthy for two reasons:

  • The spam actor we track as TA530 or “Personalized” [3][4] innovated once again and introduced a novel way to bypass sandbox systems by requiring users to click on images within the document attachment in order to activate malicious code.
  • The final payload delivered was Kovter: we have been observing an unusual spike in Kovter distribution over email. The main distribution vector is typically via social engineering in US and UK [5][6]

Email Campaigns

On October 18, Proofpoint observed an email campaign featuring thousands of distinct malicious documents with only a few recipients per document. The example email message, as shown in Figure 1, is personalized by recipient with the company name, recipient name and sometimes the recipient's work title appearing in the subject line, the email body, and in the name of the attached file. The email references a "long overdue balance" and "debt recovery" actions, enticing users to open the attached document to verify the nature of the debt. The sending addresses were primarily compromised @cox[.]com and @t-online[.]de accounts. Example subjects included:

  • [Company Name] Critical Billing Notice - OVERDUE ACC0UNT (10A7718)
  • [Company Name] Urgent Notice - PAST DUE INV0ICE (10Z7468)
  • [Company Name] Important Billing Letter - OVERDUE ACCOUNT (10A9256)

Figure 1: Personalized email lure

The attachment, as shown in Figure 2, includes a clever technique to activate the malicious payload download that we have not observed before. First, the user is instructed to “Enable Content,” which enables the macros. However, the payload is not downloaded at this point, as there are no Auto_Open(), Workbook_Open(), or equivalent functions that perform an action as soon as the document is opened.

Instead, the user must next click on one of the two square images within the document, which finally activates the malicious code that downloads the payload. This sequence of two steps will likely reduce the click-through ratio somewhat, but the second step makes it extremely difficult for automated sandbox systems to detonate the document and trigger the payload download (a calling card of the TA530 spammer).

Figure 2: Malicious document attachment with clickable embedded images (Note, these are not embedded OLE objects, even though they look similar)

As shown in Figure 3, the macro code is itself is fairly simple, especially compared to other macros employed by TA530 that use several different ways to detect sandboxes [4]. When the potential victim clicks on one of two images (the fake Excel icon or the fake PDF icon) a function Image1_Click() or Image2_Click() is executed. These in turn call a randomly named function uTezjM which constructs a Powershell payload download command.

Figure 3: The malicious macro extracted from the document, only relevant parts shown

The payload downloaded by the document was Kovter, which has been documented well in other sources. We include the configuration for this specific sample in Appendix A. Proofpoint has been observing an unusual spike in Kovter spreading via email since the beginning of October 2016. Example Kovter campaigns are listed below:

  • October 4: Google Docs URL leading to zipped JavaScript, which downloads Kovter
  • October 7: “httpslink.com” URL shorteners leading to download of RAA Loader, which in turn downloads Vawtrak 140 and Kovter
  • October 12: Google Docs URL leading to zipped JavaScript, which downloads Kovter
  • October 13: Google Docs URL leading to zipped JavaScript, which downloads Kovter
  • October 18: Personalized MS Word Documents downloading Kovter

Conclusion

The campaign described here used a new evasion technique that requires the recipient to click on embedded images, an innovation that makes execution (and hence detection) difficult in automated sandbox environments. Combined with personalized attacks at scale, a socially engineered lure conveying a significant sense of urgency, and a very large number of different document attachments in this campaign (an average of one document for every three emails), click-through and infection rates are potentially very high. Because of the change in TTPs for this spam distributor, it remains to be seen if the Kovter infections may be used to ultimately install other types of malware.

References

[1] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Kovter

[2] https://www.proofpoint.com/us/threat-insight/post/malicious-macros-add-to-sandbox-evasion-techniques-to-distribute-new-dridex

[3] https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs

[4] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques

[5] https://twitter.com/kafeine/status/730172140692082688

[6] https://blogs.technet.microsoft.com/mmpc/2016/05/10/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release/?platform=hootsuite

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

185[.]117[.]72[.]90

IP

Kovter C&C

163[.]191[.]112[.]6

IP

Kovter C&C

61[.]247[.]196[.]96

IP

Kovter C&C

hxxp://185[.]117[.]72[.]90/upload[.]php

URL

Kovter C&C

hxxp://185[.]117[.]72[.]90/upload2[.]php

URL

Kovter C&C

hxxp://163[.]191[.]112[.]6/

URL

Kovter C&C

hxxp://61[.]247[.]196[.]96/home/list[.]nhn

URL

Kovter C&C

hxxp://demitartgourmet[.]com/changelog/bindata[.]exe

URL

Document payload (Kovter)

2cdee7c99edadb7b9dfaa549f4d485b642175e81e0cf3cf0ce47e84e8d2fee4a

SHA256

Document downloading Kovter

Appendix A: Kovter Configuration

cp1: 11[.]193[.]212[.]127:80>217[.]40[.]82[.]54:8080>64[.]227[.]162[.]203:80>189[.]82[.]97[.]80:8080>151[.]114[.]177[.]198:80>225[.]26[.]229[.]2:80>36[.]12[.]52[.]247:80>5[.]209[.]178[.]87:80>68[.]150[.]234[.]229:80>199[.]163[.]180[.]40:80>190[.]100[.]202[.]133:23824>171[.]158[.]123[.]173:80>158[.]185[.]68[.]150:80>73[.]104[.]246[.]159:80>59[.]53[.]89[.]32:80>32[.]195[.]75[.]71:80>100[.]6[.]27[.]46:443>176[.]217[.]40[.]44:80>57[.]202[.]64[.]125:80>131[.]197[.]200[.]122:80>55[.]180[.]153[.]143:80>49[.]175[.]151[.]124:8080>223[.]252[.]103[.]14:32037>24[.]230[.]174[.]67:80>231[.]13[.]172[.]100:80>48[.]41[.]53[.]169:80>108[.]93[.]39[.]250:80>87[.]170[.]200[.]210:80>22[.]178[.]156[.]125:443>35[.]148[.]166[.]208:443>20[.]184[.]228[.]191:8080>81[.]239[.]69[.]134:80>209[.]241[.]245[.]248:80>79[.]150[.]239[.]34:26071>5[.]212[.]210[.]129:80>244[.]22[.]59[.]197:80>125[.]208[.]14[.]153:32108>252[.]221[.]167[.]149:80>153[.]139[.]167[.]134:443>246[.]29[.]161[.]24:443>165[.]236[.]38[.]39:80>26[.]60[.]186[.]223:80>8[.]93[.]248[.]22:80>18[.]210[.]193[.]166:23966>91[.]50[.]41[.]224:80>32[.]253[.]131[.]55:8080>41[.]36[.]117[.]79:80>177[.]153[.]6[.]194:443>122[.]170[.]4[.]36:443>140[.]117[.]148[.]158:443>202[.]56[.]225[.]2:443>27[.]49[.]39[.]8:80>191[.]242[.]204[.]19:80>203[.]115[.]105[.]245:80>89[.]205[.]122[.]234:443>108[.]83[.]139[.]121:50409>190[.]225[.]246[.]67:443>114[.]134[.]92[.]251:32728>182[.]180[.]65[.]173:443>143[.]138[.]94[.]111:443>102[.]203[.]170[.]123:443>195[.]141[.]148[.]132:443>22[.]222[.]100[.]63:80>71[.]94[.]188[.]202:443>13[.]243[.]184[.]130:80>92[.]18[.]204[.]186:80>126[.]32[.]77[.]40:80>14[.]235[.]40[.]161:443>91[.]183[.]79[.]191:80>7[.]83[.]202[.]208:22182>195[.]160[.]89[.]6:53609>209[.]182[.]235[.]80:36669>56[.]120[.]113[.]69:8080>152[.]230[.]210[.]243:80>33[.]178[.]147[.]47:443>230[.]249[.]137[.]206:443>77[.]111[.]42[.]82:8080>148[.]36[.]34[.]128:80>247[.]183[.]235[.]105:80>2[.]227[.]33[.]244:32182>66[.]166[.]20[.]113:80>249[.]106[.]231[.]200:80>53[.]55[.]101[.]135:80>249[.]170[.]195[.]121:443>187[.]49[.]10[.]36:80>87[.]37[.]16[.]120:80>144[.]185[.]191[.]164:80>31[.]157[.]148[.]7:80>207[.]59[.]157[.]52:80>63[.]46[.]108[.]3:443>138[.]190[.]214[.]147:443>4[.]234[.]7[.]20:8080>31[.]163[.]27[.]222:80>69[.]252[.]228[.]217:80>75[.]168[.]61[.]231:80>254[.]39[.]10[.]106:8080>176[.]244[.]231[.]135:80>200[.]138[.]113[.]207:80>211[.]237[.]65[.]238:443>136[.]52[.]200[.]109:443>203[.]183[.]181[.]9:80>146[.]7[.]197[.]156:443>238[.]76[.]101[.]214:80>236[.]159[.]93[.]94:8080>250[.]49[.]92[.]59:80>40[.]195[.]83[.]240:80>95[.]187[.]232[.]21:80>135[.]167[.]203[.]77:443>61[.]60[.]142[.]161:80>97[.]142[.]176[.]189:80>183[.]29[.]122[.]242:24729>161[.]182[.]143[.]146:80>238[.]78[.]206[.]3:8080>85[.]169[.]221[.]162:80>221[.]123[.]187[.]238:23962>73[.]159[.]153[.]53:8080>81[.]82[.]55[.]68:443>216[.]249[.]30[.]107:80>12[.]184[.]174[.]15:8080>4[.]184[.]167[.]165:443>193[.]130[.]31[.]124:443>250[.]197[.]16[.]148:80>229[.]76[.]4[.]41:52007>220[.]35[.]247[.]72:8080>3[.]255[.]177[.]17:80>180[.]201[.]114[.]90:443>51[.]220[.]140[.]174:80>134[.]115[.]92[.]27:80>41[.]255[.]185[.]45:80>

cptm: 30

key: a7887cc809cf0d4df17fc5dafd03e4e7

pass: 65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097

debug: 0

elg: 1

dl_sl: 0

b_dll: 0

nonul: hxxp://185[.]117[.]72[.]90/upload2[.]php

dnet32: hxxp://download[.]microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe

dnet64: hxxp://download[.]microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe

pshellxp: hxxp://download[.]microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe

pshellvistax32: hxxp://download[.]microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6[.]0-KB968930-x86[.]msu

pshellvistax64: hxxp://download[.]microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6[.]0-KB968930-x64[.]msu

pshell2k3x32: hxxp://download[.]microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe

pshell2k3x64: hxxp://download[.]microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe

cl_fv: 20

fl_fu: hxxps://fpdownload[.]macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_22_active_x[.]exe

mainanti:

  DD1D: 1

  DD2D: 1

  DD3D: 1

  DD4D: 1

  DD5D: 0

  DD6D: 1

  DD7D: 1

  DD8D: 1

  DD9D: 1

  DD10D: 1

  DD11D: 0

  DD12D: 1

  DD13D: 1

  DD14D: 1

  DD15D: 1

  DD16D: 1

  DD17D: 0

  al: hxxp://185[.]117[.]72[.]90/upload[.]php