How KovCoreG has changed Kovter to keep up with the times
How KovCoreG has changed Kovter to keep up with the times

Malware authors and cybergangs recently have been credited by industry pundits with altering their behavior, basically moving away from acting like a criminal enterprise and more like a traditional business, but groups like KovCoreG have been functioning in this mode for years.

A legal business spends it's time and energy figuring out new products, developing marketing models and updating distribution methods, something KovCoreG has been doing for at least six years, according to a deep-dive study of the group conducted by Proofpoint's Kafeine. 

During this period KovCoreG started out pushing ransomware, moved over to malvertising all the while shifting between using different exploit kits and social engineering plans. Making moves just like any legitimate business.

“Analyzing the evolution of this actor and their techniques enables us to better understand the increasingly sophisticated techniques employed by crimeware threat actors, and, in particular, the general movement from reliance on automated exploits to the integration of social engineering to carry out infections,” Kafeine wrote.

To go back to the beginning, before there was Kovter there was Zaccess/SecurityShield, a backdoor trojan used to deliver malvertising campaigns that helped install, among other bits of malicious software, scareware such as SecurityShield. This would be injected into a computer and display a pop up stating the computer was infected and needed to be cleaned, which could be accomplished by just clicking on the ad and paying for the service.

“KovCoreG has been at the forefront of malvertising, exploit kit usage, and, as EKs declined, social engineering, while distributing lucrative malware through multiple vectors. Through their relatively long history, the group has adapted to the shifting popularity of scareware, “police locker” ransomware, exploit kits, and, for the last few years, taken advantage of the massive scale and automation of online advertising,” Kaffeine wrote.

KovCoreG carried on happily spreading this malware between 2011 and 2013 using a variety of EKs like Blackhole, Redkit and Sakura.

During this period the cybergang began testing malware that would soon be known as Kovter with a few samples being spotted in late 2012 and running into 2013. The first true version of Kovter appeared in March 2013 using Sakura and the group used the same scareware tactics as earlier, but in August of that year the social engineering was altered to indicate the person could face prosecution if they did not pay.

Interestingly, in these basically pre-digital currency days the attackers requested the “fine” be paid via a Greendot MoneyPak that could be bought at retailers like Walmart, 7-11 and Walgreens.

The next change for Kovter came at the end of 2013 when KovCoreG added filtering and implemented a multistep infection chain to avoid it being spotted by ad agencies and reputation services that had earlier caused the group to restart campaigns.

The Styx EK was then used to drop Kovter starting in March 2014 and at the same time the gang made the move to morph Kovter from ransomware/scareware to ad fraud malware, the form it continues to use today. Other changes around this time included switching to the Sweet Orange EK, then over to Rig, back to Sweet Orange and finally to Nuclear in 2015 and they also used Angler to infect Internet Explorer users. This change also saw the use of fake Flash Player updates replacing their other social engineering to lure in victims.

At this point KovCoreG branched out and began using an affiliate model, or RaaS, as Kovter started appearing in other infection chains.

“KovCoreG also provides a window into the ways in which affiliate models can grow, increasing the footprint of a particular threat while spreading the risk for a single threat actor,” Kafeine said. 

In April 2016 https was added making it harder for researchers to grab complete chains, Kafeine said. 

The following year the gang greatly expanded its malvertising campaigns to include a large number of new brands, including Burberry, Nordstrom and zulily.  

“KovCoreG demonstrates how a financially motivated actor can adapt, evolve, and innovate over several years, influencing the threat landscape while remaining effective and viable as they fly under the radar of law enforcement, the sites and ad networks they abuse, and end users,” Kaffeine said.