January 21, 2016

Kovter Actors Now Turning Machines Into Zombies

Nicholas Griffin Security Researcher

For a while now, actors have been distributing the Kovter click-fraud malware in e-mails via JavaScript attachments. Recently however, we noticed a Kovter e-mail campaign that was attempting to download proxy software onto users' machines via a JavaScript downloader. Whilst not malicious by itself, the proxy software (ProxyGate) is silently installed by the malware and automatically registered on the ProxyGate network. This means that the user's machine can be used for subsequent network traffic by anybody using ProxyGate, essentially making the machine a zombie for anybody's use. At the time of writing this blog, the actors were no longer using malware to download ProxyGate and have reverted to their usual distribution of the Kovter and Miuref malware families.

E-mail Lure

The e-mail lures we are seeing for this campaign have a consistent fax-related theme:

fig 1. E-mail lure

These e-mails usually contain a ZIP file attachment with a malicious JavaScript (JS) file inside, but there are also some e-mails which contain a clickable link such as in fig 1. Interestingly, these links abuse an open redirect on a well known Alexa top 10 site which takes the user to the attacker controlled website, and tries to download a ZIP containing a malicious JS downloader.

UPDATE: (January 25, 2016) We are now able to disclose that the open redirect is located on a Google sub-domain. We are working with Google who are currently addressing the issue.

fig 2. ZIP file containing malicious JS file.

Forcepoint has notified the 'Alexa top 10 site' regarding the open redirect abuse.

JS Downloader

The malicious JS file inside the ZIP files for this campaign are obfuscated malware downloaders. When the script is deobfuscated it is clear that the intention is to download and run 3 executables:

fig 3. Deobfuscated malicious JS downloader

Typically, we see the Kovter and Miuref malware families downloaded by these scripts, but in this instance once of the executables that we saw was a new, albeit primitive malware, that we are naming "PGDownloader".

PGDownloader & ProxyGate Installation

When PGDownloader is executed it will begin logging events to its command-and-control (C&C) server, while downloading and silently installing the ProxyGate software in order to turn our machine into a zombie. This is not a new concept from malware actors, and we have blogged on the topic in the past in relation to the Bunitu malware.

Here is the full log that it sent to its C&C when we analyzed the malware:

i am in DownloadThread
Thread Download Complete!
DownloadThread done!check file...
Start Install Thread
[PageIndex:0] Click NextButton
[PageIndex:1] Click 'accept the agreement'
[PageIndex:1] Click NextButton
[PageIndex:2] Click NextButton
[PageIndex:3] Click 'Don't create a Start Menu folder'
[PageIndex:3] Click NextButton
[PageIndex:4] Click NextButton
[PageIndex:5] Click InstallButton
[PageIndex:7] Click FinishButton
[PageIndex:7] Done!
Run cloud...
everything is done!delete me now..

Each log event is a unique HTTP request to the C&C server with a user-agent of "reportlog" or "f[redacted]ing", making this quite a noisy piece of malware:

fig 4. PGDownloader network traffic

As shown in fig 4, PGDownloader downloads an executable named pgppi.exe which is the ProxyGate software that will be installed. This is actually a graphical installer wizard:

fig 5. ProxyGate setup wizard

However, PGDownloader silently installs the software by creating a new and invisible desktop with the CreateDesktop Windows API, and then finds and clicks the buttons on the wizard automatically.

After installation PGDownloader launches the Cloud.exe component of ProxyGate which will automatically register the machine as part of the ProxyGate network. This means that any users of ProxyGate can now use our machine in order to browse the Internet, which of course includes the ability to conduct illegal activity.

At the time of this blog there are over 7,000 IP addresses available to use on the ProxyGate network, although it is unknown how many of these were registered on the network as a result of PGDownloader.

Customer Protection

Forecepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
  • Stage 5 (Dropper) - The malware is prevented from being downloaded from the malicious URLs.
  • Stage 6 (Backchannel Traffic) - Attempts by the malware to contact its command-and-control server are detected and blocked.


Malware actors are always seeking new opportunities and new malware that can improve their success rates. PGDownloader provides an easy way for these actors to expand their infrastructure in order to use more machines for malicious purposes, and in turn hide the attackers' identities behind other machines. It is important to remain vigilent when receiving suspicious e-mails, making sure not to run any files unless you are absolutely sure that the e-mail comes from a trusted source and that you have the appropriate security products installed that can identify threats such as these.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.