- Oct 23, 2012
- 12,527
Kovter, a well-known click-fraud malware family, has evolved in recent months, yet again, and this time, crooks are disguising new versions as Firefox updates.
The malware has been around for three years and has always been used mainly for performing ad fraud, silently clicking on ads while you're using your computer.
Last year in September, the malware moved from an on-disk operational mode to an in-memory (fileless) system that allowed it to bypass several antivirus detection methods.
New Kovter version still uses an in-memory operational mode
It's an evolution of this in-memory Kovter version that security researchers from Barkly have recently come across.
Distributed via drive-by downloads on hijacked or malicious websites, the malware is hidden inside a fake version of the Firefox browser that gets automatically saved on the user's computers.
The malware has been around for three years and has always been used mainly for performing ad fraud, silently clicking on ads while you're using your computer.
Last year in September, the malware moved from an on-disk operational mode to an in-memory (fileless) system that allowed it to bypass several antivirus detection methods.
New Kovter version still uses an in-memory operational mode
It's an evolution of this in-memory Kovter version that security researchers from Barkly have recently come across.
Distributed via drive-by downloads on hijacked or malicious websites, the malware is hidden inside a fake version of the Firefox browser that gets automatically saved on the user's computers.
Victims that agree to launch this installer will be installing Kovter, which to bypass security software, also uses a valid digital certificate.
The actual infection process uses Powershell scripts to inject shellcode into the system, gain boot persistence, and launch the malware into operation. Barkly has informed Comodo about the rogue certificate, so the company could revoke it.
Kovter has a history of constant evolution
Prior to this new distribution method, this past January, Forcepoint observed crooks using Kovter to add victims as proxies in a worldwide online proxy network.
After that, in April, Kovter's authors also added a ransomware component to their malware, which hasn't been that successful when compared to other ransomware families such as Locky, CryptXXX, or Cerber.
Over the years, Kovter has constantly evolved, sometimes in weird directions, but this evolution has allowed it to remain one or two steps ahead of antivirus solutions. This latest version is just another of those updates, and we'll probably see new ones in the coming months.
Security lesson from this article: Don't install Firefox versions that appear on your computer out of thin air. Use the Firefox website, Softpedia download mirrors, or the browser's built-in update tool to get new versions.