MALWARE - Kovter has targeted JLab for 2016

The malware known as Kovter has seen a noticeable uptick at JLab during the previous week.

 

Here we will discuss what it is, how Jefferson Lab machines are getting infected, and why you should care about it even if you are a hardened veteran when it comes to dealing with malware.

So, what is Kovter?

Like most malware, its end goal is to make money at your expense.  This particular strain of malware generates revenue by turning the host machine into an automated ad clicker (ad-fraud) and sometimes will go as far as downloading ransomware

Kovter is entering the JLab environment via email similar to the following.  You should never interact with the attachments on emails like this.  Forward them to spam@jlab.org and then delete it.

 

It doesn't have to be this interfax spoof, it can be anything.  Fedex, UPS, Airline Tickets, IRS/Tax statements, Costco/Walmart/Amazon orders, etc.

unzipping the attached file:

Archive:  fax_0000993753.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     2242  01-16-2016 16:18   fax_0000993753.doc.js

 

Inside the zip file is actually javascript, but on windows machines it may appear to be a .doc file since the .js extension is hidden.

The contained javascript code:

 

This javascript will download a malicious executable onto the machine and then run it at which point the machine is now infected.

Keep in mind the domains listed at the top of the script and compare it with this JLab log entry.

Here we have a JLab IP, partially blacked out for privacy, accessing one of the domains listed in the javascript above.

Shortly afterwards some alerts are triggered.

Looking at the registry of the machine(s) in question.

The end result of this is a machine that is not safe for use and ultimately a loss in productivity for JLab.

Cyber must spend time investigating.

Helpdesk must spend time returning the machine to a safe working condition.

The primary user(s) of the machine are inconvenienced by having their machine worked on.

And last but not least, anyone working on projects with the person in question is also effected by their co-workers productivity loss.

 

So, even if you are doing everything right when it comes to dealing with malicious emails, please help us in protecting Jefferson Lab and report any suspicious emails by forwarding them to spam@jlab.org.

 

If you are one of the people who has been fooled by these tricks, just remember, unless you're 100% certain the email is valid, DO NOT OPEN IT and read this list of tips.

 

- Jefferson Lab Cyber Security