2017-06-29 - KOVTER INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-29-Kovter-infection-traffic-2-pcaps.zip   7.6 MB (7,634,352 bytes)

• 2017-06-28-Kovter-infection-traffic.pcap   (8,271,730 bytes)
• 2017-06-29-Kovter-infection-traffic.pcap   (4,082,112 bytes)

• 2017-06-29-Kovter-emails-and-malware.zip   706.1 kB (706,076 bytes)

• 2017-06-28-UPS-malspam-0038-UTC.eml   (3,852 bytes)
• 2017-06-28-UPS-malspam-2221-UTC.eml   (3,497 bytes)
• 2017-06-28-Kovter-sample.exe   (503,434 bytes)
• 2017-06-29-Kovter-sample.exe   (476,867 bytes)
• UPS-Delivery-5874287.doc.js   (1,681 bytes)
• UPS-Delivery-5874287.zip   (1,448 bytes)
• UPS-Parcel-ID-8772984.doc.js   (1,671 bytes)
• UPS-Parcel-ID-8772984.zip   (1,450 bytes)

 

EMAILS

Shown above:  Screenshot from an emails (1 of 2).

 

Shown above:  Screenshot from an emails (2 of 2).

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-28 as 00:38 UTC
• From:  bappidgreat@server003.webhosting24x7[.]net
• Subject:  Delivery Notification, ID 5874287
• Attachment:  UPS-Delivery-5874287.zip

• Date:  Wednesday 2017-06-28 as 22:21 UTC
• From:  maligin@bitrix272.timeweb[.]ru
• Subject:  Problems with item delivery, n.8772984
• Attachment:  UPS-Parcel-ID-8772984.zip

 

Shown above:  Example of an extracted .js file from the attached zip archives.

 

TRAFFIC

Shown above:  Traffic from the infection on 2017-06-28 filtered in Wireshark.

 

Shown above:  Traffic from the infection on 2017-06-29 filtered in Wireshark.

 

PARTIAL URLS RECOVERED FROM THE .JS FILES:

• amis-spb[.]ru - GET /counter [followed by long string of characters]
• artdecorfashion[.]com - GET /counter [followed by long string of characters]
• desinano[.]com[.]ar - GET /counter [followed by long string of characters]
• elita5[.]md - GET /counter [followed by long string of characters]
• goldwingclub[.]ru - GET /counter [followed by long string of characters]
• modx.mbalet[.]ru - GET /counter [followed by long string of characters]
• natiwa[.]com - GET /counter [followed by long string of characters]
• perdasbasalti[.]it - GET /counter [followed by long string of characters]
• resedaplumbing[.]com - GET /counter [followed by long string of characters]

POST-INFECTION TRAFFIC:

• Various IP addresses and over TCP ports 80, 443, and 8080.

Shown above:  Post-infeciton traffic is similar to what we've seen before with Kovter.

 

FILE HASHES

SHA256 HASHES FOR THE ASSOCIATED MALWARE:

• f24ea3eaf788302a4af13a63cd44624edabb86d2c8b96482b0c7422fb982bb2d - UPS-Delivery-5874287.zip   [email attachment]
• 708dbe2ac4d71502e59984aba525ae7cf2401308b9017c347d734a8e9fcc95ec - UPS-Delivery-5874287.doc.js   [extracted .js file]
• 45489e63844a6ac3e72f2a4ba1799d99558908b3c9eea398c81a98c93af94f43 - 2017-06-28-Kovter-sample.exe   [follow-up malware]

• 28f36adc74fd31724c24702223073efea14f9759f43b99a395df933cfe4fe9da - UPS-Parcel-ID-8772984.zip   [email attachment]
• 76bbeb10f02697952612a83b991570070b7c1598abef3383b7f2182b9072e0da - UPS-Parcel-ID-8772984.doc.js   [extracted .js file]
• 26b1f1df386879044711fd6aeba55d6de8590409cd47d09f2b06211199bf00f2 - 2017-06-29-Kovter-sample.exe   [follow-up malware]

 

IMAGES

Shown above:  An example of post-infection artifacts noted on the infected hosts.

 

Shown above:  Other artifacts consistent with a Kovter infection.

 

Shown above:  As with other Kovter infections, the associated Windows registry key cannot be viewed.

 

Shown above:  An error I got each time shortly after the infection.

 

Click here to return to the main page.