Kovter Cropped Before Doing Damage

The Network: A holding company that provides commercial and consumer banking. Their IT team is supplemented by SIEMphonic, EventTracker’s co-managed security solution.
 
The Expectation: Robust and up-to-date (anti-virus, next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Employees have been trained and can be counted on to make good decisions.
 
The Catch: Our SOC analysts observed suspicious network traffic from an internal desktop to external address 209.99.40.222. Our ETIDS component examined the network packets and triggered the alarm: CNC Ransomware Tracker Reported CnC Server TCP group 65.
 
The Find: Kovter is a Trojan that is unusually evasive and persistent. Recent versions have posed as a Firefox or Chrome update. Kovter generates and registers a new random file extension upon installation, and also defines a new shell open verb to handle this specific extension. For that, the malware sets specific registry keys. This ensures that the malicious Kovter command contained in the registry key is executed via the shell extension open verb each time a file with that custom file extension is opened. To ensure that this shell open command is triggered on a regular basis, the Trojan drops a series of garbage files with its custom file extension in different locations. To complete the installation process, the malware sets up the auto-start mechanism that would automatically open these files, and it uses both a shortcut file and a batch (.bat) file for this. The shortcut (.lnk) pointing to the garbage file is dropped in the Windows startup folder. When using a batch script file (.bat), which is dropped in a randomly generated folder, Kovter sets a registry run key to execute it (the .bat will run the garbage file to execute the malicious shell open verb). To remove Kovter completely from an infected computer, anti-virus software needs to remove all of these dropped files, as well as the registry change.
 
The Lesson: The infected endpoint was not covered by the EventTracker sensor. It was caught because the SIEMphonic service also provides network IDS monitoring. Inspection of North/South traffic was instrumental in this catch. Defense in depth is the way to go.