Kovter, the click-fraud trojan first detected in 2015, is back with a brand-new trick. The malware has moved its disk-based residency into memory and the registry, in hopes of evading standard antivirus (AV) detection. This new fileless infection capability is a significant evolution for Kovter.
The Cylance Threat Research Group recently analyzed the new infection method used by Kovter. Our research uncovered a potential design misstep which appears early in the malware’s delivery process.
Kovter arrives as an email attachment compressed by 7-zip (.7z) instead of the common .zip compression which Microsoft Windows® can open natively. Those who do not have 7-zip installed are prompted by Windows to select a program for opening the infected attachment. This interruption in the infection process gives users the opportunity to reexamine the situation, which may diminish the overall success rate of Kovter.
The executed shellcode calls Kovter’s encrypted payload from the second infected registry entry. Kovter’s payload then launches and injects itself into a regsvr32.exe process. At this point the malware has successfully infiltrated the system using only remote calls and available system resources. The fileless attack is a success.
Further details on how Kovter tries to obfuscate its presence and how it establishes persistence on a system can be found in our Threat Spotlight report.
Click-fraud malware is designed to exploit pay-per-click (PPC) online advertising. When your IT resources are hijacked into serving the shady agenda of anonymous fraudsters, you lose technical productivity.
Furthermore, when your security has been compromised once the same approach may be used to do it again. Malware currently on your system may also be modified into making a second or third intrusion easier and less detectable.
Customers of our endpoint protection product CylancePROTECT® will be glad to learn that Kovter poses no threat to their systems. When the malware downloads its executable payload Cylance immediately convicts the infected file.
Our solution also blocks the execution of the malicious PowerShell scripts, meaning CylancePROTECT stops Kovter in multiple ways. The threat actors behind Kovter have learned a few new tricks, but they still lag far behind the predictive powers of the AI-driven CylancePROTECT.