Malware News New Kovter Malware Versions Posing as Firefox Updates

[Exterminator]

Kovter, a well-known click-fraud malware family, has evolved in recent months, yet again, and this time, crooks are disguising new versions as Firefox updates.

The malware has been around for three years and has always been used mainly for performing ad fraud, silently clicking on ads while you're using your computer.

Last year in September, the malware moved from an on-disk operational mode to an in-memory (fileless) system that allowed it to bypass several antivirus detection methods.

New Kovter version still uses an in-memory operational mode
It's an evolution of this in-memory Kovter version that security researchers from Barkly have recently come across.

Distributed via drive-by downloads on hijacked or malicious websites, the malware is hidden inside a fake version of the Firefox browser that gets automatically saved on the user's computers.

Victims that agree to launch this installer will be installing Kovter, which to bypass security software, also uses a valid digital certificate.

The actual infection process uses Powershell scripts to inject shellcode into the system, gain boot persistence, and launch the malware into operation. Barkly has informed Comodo about the rogue certificate, so the company could revoke it.

Kovter has a history of constant evolution
Prior to this new distribution method, this past January, Forcepoint observed crooks using Kovter to add victims as proxies in a worldwide online proxy network.

After that, in April, Kovter's authors also added a ransomware component to their malware, which hasn't been that successful when compared to other ransomware families such as Locky, CryptXXX, or Cerber.

Over the years, Kovter has constantly evolved, sometimes in weird directions, but this evolution has allowed it to remain one or two steps ahead of antivirus solutions. This latest version is just another of those updates, and we'll probably see new ones in the coming months.

Security lesson from this article: Don't install Firefox versions that appear on your computer out of thin air. Use the Firefox website, Softpedia download mirrors, or the browser's built-in update tool to get new versions.

 

[_CyberGhosT_]

Awesome heads up,
another good reason to always download directly from the publisher never 2nd or 3rd party sites.
Thanks Exterminator

 

[Cats-4_Owners-2]

I was a bit concerned reading this after having recently updated Firefox, but now, after reading the closing,
"Don't install Firefox versions that appear on your computer out of thin air. Use the Firefox website, Softpedia download mirrors, or the browser's built-in update tool to get new versions."
Whew...
I shall now be able to sleep better if not longer!

Thank you @exterminator20 for keeping us both on our toes & "Frosty"!

 

[Theo1352]

I suspect that this is what keeps popping up, thank you for the warning.

I always download FF and T'Bird from their respective full installer sites, never from any other source.

That said, how do you stop the pop-up?

 

[jamescv7]

@Theo1352: Use adblocker and a siteadvisor to block the websites and its content.

NoScript is another good tool to block possible malicious scripts that can trigger execution of pop-ups.

 

[kaddy]

Malware authors keep getting more clever don't they. We got to stay ahead of the game, and we are at a disadvantage as Defense is reactive, Their approach is proactively seeking to attack. Penetration testing of Networks is becoming increasingly important.

 

[Theo1352]

James: Thanks.

I use: uBlock Origin and WOT, in addition, the other security layers are: Sandboxie, CryptoPrevent, Winpatrol, Panda real-time, MBAM and Hitman Pro on-demand. I've tried No Script a number of times, it is not a personal preference, maybe I'll try it again.

I am not infected, not that I know of, I looked for the processes usually associated with Kovter, my system isn't sluggish, I've not downloaded any new software at all (I keep software to a minimum, not much I need these days), haven't been to any bad sites.

Just curious why I keep getting the pop-up to download and install FF47.02, which isn't a valid version. It's coming from my add-on bar, at least that's where it pops up, it's a very tiny pop-up, which is how I knew it wasn't valid, then fades in a few seconds.

I only download from Mozilla's full installer sites, I always check version numbers in 3 different places before I update.

Thanks.

 

[sy1122]

The update is not signed by Mozilla?

 

[jamescv7]

@Theo1352: Mozilla Firefox must not flag any updates by mistake, verify the version you have as long it comes on built in updater.

@sy1122: The malware posing as FF update is not signed by Mozilla but rather from Comodo Certificate Authority. (equals bypass)

 

[Theo1352]

James, I believe you're correct - they don't verify, they just push if you don't have the current version, that's the extent of their verification.

 

[DJ Panda]

@tecnotic https://malwaretips.com/threads/where-are-the-download-links-for-the-malware-samples.60538/

It is also strongly recommended if you go looking for samples to run them in a virtual machine to prevent infection the host PC.

 

[DJ Panda]

Yeah, 100 posts though. Yikes. I'd hate to be the forum spammer, I could seriously use them for work on our new product.. testing and stuff.

If you make good quality posts here it isn't that hard. The rules there are just a percaution for people who don't know what they are doing.