What is Kovter Malware?

Kovter Malware

Kovter is a sort of malware that isn't visible and doesn't leave any files on your computer. It's designed to attack Windows computers. It avoids detection by storing its configuration data mostly in the computer's registry, thereby bypassing standard endpoint file inspection. Kovter has also remained robust by morphing from trojan-based ransomware that fooled victims into thinking they were being fined by the authorities for "illegal" internet behavior to a click fraud virus, and finally to fileless ransomware. Because of these characteristics, Kovter has been a constant on the Center for Internet Security's list of the most widespread malware in recent years.

Kovter ad fraud virus has been used in a variety of creative schemes, ranging from exploiting social engineering techniques to bypassing malware sandbox systems. We discovered and studied a large-scale malvertising campaign by the KovCoreG organization, which is well known for distributing Kovter ad fraud malware and for sitting atop the affiliate scheme that distributes Kovter more widely. This attack chain exposed millions of potential victims in the United States, Canada, the United Kingdom, and Australia over the course of more than a year, exploiting subtle variations on a phony browser update method that operated on all three main Windows web browsers.

The Kovter Trojan was skillfully designed and employed one of the most powerful codebases ever discovered. Kovter steals the fileless persistence method from the Poweliks malware family, which is widely regarded as one of the most dangerous malware families on the market today. It can accomplish persistence without actually writing a Windows binary file to the filesystem. This means that, depending on the type, the virus does not need to touch the disc. Kovter injects itself into "regsvr32.exe" to remain a memory resident. This injected malware keeps track of its many components to guarantee that it is reinjected into regsvr32.exe at every system startup, keeping the user infected at all times.

Malspam provided as attachments via phishing emails is one of Kovter's major attack vectors. The spyware enters the registry after being clicked. It then gains persistence by using registry keys and PowerShell executables before releasing itself in a fileless and hence undetected way.

Kovter's Discovery

Kovter began as ransomware targeting law enforcement. It tried to extort money from its victims in the same way that other ransomware does but in a new way. It locked victims' files by showing a fraudulent message posing as a real law enforcement agency's 'fine' payment notification.

The virus, however, did not have an effective code at the time of discovery since it required the right combination of conditions to work well and was readily recognized and uninstalled.

Kovter's Evolution

The next Kovter variation was a click fraud virus that was largely different from the previous version. Kovter exploited code injection to infect victims in this version. As a consequence, it took data from the infected machine and forwarded it to the malware's command and control site.

Later, in 2015, Kovter modified its capabilities, evolving into a file-less virus that uses autorun registry entries to do this. In 2016, it gained a number of new features, including the ability to read malicious registry entries via a shell spawning approach.

Kovter was detected spreading towards the end of July 2016, coupled with malicious Google Chrome and Mozilla Firefox upgrades. Researchers identified a new form of Kovter in October 2016 that might circumvent security sandboxes based only on macro enabling. After arriving as a macro with click-based activation inside infected documents, it remained in the wild for much longer.

The infamous Locky ransomware was downloading Kovter into the victims' devices, according to Threatpost, in January 2017. In this example, Kovter remained in the afflicted machine even after the victim paid Locky's creators. Threat actors utilized the Nemucod malware to transmit Kovter to victims via phishing attacks in April 2017. Since then, numerous threat actors have been seen using Kovter in a variety of ways.

How You Can Defend Your Company Against Kovter

Here are some of the precautions that you can take to protect your company from Kovter.

  • Keep an eye out for the following red flags: Fileless malware is difficult to detect; however because Kovter uses PowerShell, looking for unexpected PowerShell notifications and keeping an eye on processes like mshta.exe and powershell.exe in Task Manager may assist.

  • Educate coworkers on proper security hygiene, such as verifying the sender's email ID, avoiding auto-downloading files, and reporting support about emails that include a danger or bait.

  • Don't let your guard down: Make sure your firewalls, anti-spam filters, and anti-virus programs, among other things, are up to date and robust. If at all feasible, take steps to sandbox emails to reduce the impact. Check that you have network security measures in place as well, especially around shared document repositories like One Drive or Team Sites, as a single weak link may propagate malware throughout the firm.

  • To guarantee smooth business continuity and disaster recovery in the event of a malware attack, make sure you have an accurate, up-to-date duplicate of your valuable data. All of this is only feasible with a dependable backup and restoration solution.

Updated on: 04-May-2022


Kickstart Your Career

Get certified by completing the course

Get Started