Malware News New Kovter Malware Versions Posing as Firefox Updates

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Kovter, a well-known click-fraud malware family, has evolved in recent months, yet again, and this time, crooks are disguising new versions as Firefox updates.

The malware has been around for three years and has always been used mainly for performing ad fraud, silently clicking on ads while you're using your computer.

Last year in September, the malware moved from an on-disk operational mode to an in-memory (fileless) system that allowed it to bypass several antivirus detection methods.

New Kovter version still uses an in-memory operational mode
It's an evolution of this in-memory Kovter version that security researchers from Barkly have recently come across.

Distributed via drive-by downloads on hijacked or malicious websites, the malware is hidden inside a fake version of the Firefox browser that gets automatically saved on the user's computers.

Victims that agree to launch this installer will be installing Kovter, which to bypass security software, also uses a valid digital certificate.

The actual infection process uses Powershell scripts to inject shellcode into the system, gain boot persistence, and launch the malware into operation. Barkly has informed Comodo about the rogue certificate, so the company could revoke it.

Kovter has a history of constant evolution
Prior to this new distribution method, this past January, Forcepoint observed crooks using Kovter to add victims as proxies in a worldwide online proxy network.

After that, in April, Kovter's authors also added a ransomware component to their malware, which hasn't been that successful when compared to other ransomware families such as Locky, CryptXXX, or Cerber.

Over the years, Kovter has constantly evolved, sometimes in weird directions, but this evolution has allowed it to remain one or two steps ahead of antivirus solutions. This latest version is just another of those updates, and we'll probably see new ones in the coming months.

Security lesson from this article: Don't install Firefox versions that appear on your computer out of thin air. Use the Firefox website, Softpedia download mirrors, or the browser's built-in update tool to get new versions.
 

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
I was a bit concerned reading :eek:this after having recently updated Firefox,o_O but now, after reading the closing,
"Don't install Firefox versions that appear on your computer out of thin air. Use the Firefox website, Softpedia download mirrors, or the browser's built-in update tool to get new versions."
Whew...:rolleyes:
I shall now be able to sleep better if not longer!:p

Thank you @exterminator20 for keeping us both on our toes & "Frosty"!:cool:
 

Theo1352

New Member
Jul 10, 2016
3
I suspect that this is what keeps popping up, thank you for the warning.

I always download FF and T'Bird from their respective full installer sites, never from any other source.

That said, how do you stop the pop-up?
 
  • Like
Reactions: Cats-4_Owners-2

kaddy

Level 2
Verified
Jan 23, 2016
60
Malware authors keep getting more clever don't they. We got to stay ahead of the game, and we are at a disadvantage as Defense is reactive, Their approach is proactively seeking to attack. Penetration testing of Networks is becoming increasingly important.
 
  • Like
Reactions: Cats-4_Owners-2

Theo1352

New Member
Jul 10, 2016
3
James: Thanks.

I use: uBlock Origin and WOT, in addition, the other security layers are: Sandboxie, CryptoPrevent, Winpatrol, Panda real-time, MBAM and Hitman Pro on-demand. I've tried No Script a number of times, it is not a personal preference, maybe I'll try it again.

I am not infected, not that I know of, I looked for the processes usually associated with Kovter, my system isn't sluggish, I've not downloaded any new software at all (I keep software to a minimum, not much I need these days), haven't been to any bad sites.

Just curious why I keep getting the pop-up to download and install FF47.02, which isn't a valid version. It's coming from my add-on bar, at least that's where it pops up, it's a very tiny pop-up, which is how I knew it wasn't valid, then fades in a few seconds.

I only download from Mozilla's full installer sites, I always check version numbers in 3 different places before I update.

Thanks.
 
  • Like
Reactions: Cats-4_Owners-2

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
@Theo1352: Mozilla Firefox must not flag any updates by mistake, verify the version you have as long it comes on built in updater.

@sy1122: The malware posing as FF update is not signed by Mozilla but rather from Comodo Certificate Authority. (equals bypass)
 

Theo1352

New Member
Jul 10, 2016
3
James, I believe you're correct - they don't verify, they just push if you don't have the current version, that's the extent of their verification.
 
  • Like
Reactions: Cats-4_Owners-2

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
Yeah, 100 posts though. Yikes. I'd hate to be the forum spammer, I could seriously use them for work on our new product.. testing and stuff.

If you make good quality posts here it isn't that hard. :) The rules there are just a percaution for people who don't know what they are doing.
 
  • Like
Reactions: Cats-4_Owners-2

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top