With these updates, Kovter’s association with ransomware no longer aligned with its stealthy, persistent nature. It was inevitable that other malware authors would implement the techniques used by Poweliks. Top 10 regions reporting Kovter detections Other impacted areas include the UK, Canada, Germany, Australia, and Japan.įigure 5. While there are no indications to suggest that Kovter is targeting specific regions, Symantec’s telemetry clearly shows that the US is the most affected region. Example of malicious spam emails spreading Kovter
#Trojan poweliks removal download
If the files are executed, then they download Kovter and other malware onto the spam recipient’s computer.įigure 4. zip files containing malicious JavaScript or. These attachments arrive in various forms, such as. More recently, Kovter has been one of many threats included in a spam campaign’s malicious file attachments. The following exploit kits have reportedly been used to spread the Kovter malware through these attacks: Lately, these methods have included malvertisment campaigns targeting adult content websites and news sites. This has led to the Trojan’s distribution method changing overtime. Similar to other common threat actors, the attackers behind Kovter have opted for an affiliate business model to push their threat onto victims’ computers. Regedit error when opening Kovter’s run key The null character makes it difficult to view the run key values using tools such as Regedit, as they expect registry values to use printable characters.įigure 3. Similar to Poweliks, Kovter attempts to protect its registry entries by using a value name that starts with a null or 0 byte character followed by a string of hexadecimal characters (such as "\x007a865e5da" where "\x00" is the null character). A similar technique was implemented by Poweliks. After a fileless infection, Kovter then deletes the initial file infector from disk. The PowerShell script then executes shellcode that decrypts and loads the main Kovter module into memory from a registry entry as seen in figure 2. Kovter registry entry containing second JavaScript Once executed, this JavaScript runs another layer of JavaScript from a different Kovter registry entry. This second JavaScript decodes and executes a malicious Kovter PowerShell script stored within the same JavaScript.įigure 2. Registry run key value used to execute the malicious JavaScript In a fileless infection, Kovter adds a value to one or more of the registry run keys to execute JavaScript using the legitimate MSHTA program.įigure 1. If no internet access is available at the time of infection, then Kovter reverts to being a more traditional file-based malware. If PowerShell is not found on the computer and internet access is available, then the Trojan downloads a version of the framework. During initial infection, Kovter checks to see if PowerShell is already installed on the compromised computer. Similar to Poweliks, Kovter (version 2.0.3 onwards) has memory-resident, fileless capabilities and uses several techniques to persist in the registry. However, Kovter itself is known to perform click-fraud activities. The threat rose to prominence in 20 thanks to its association with traditional ransomware ( ) which locks a victim’s computer screen and displays a message demanding a fine for illegal activity. The Kovter malware family has been around since at least 2013 and has evolved over time. The threat is also memory resident and uses the registry as a persistence mechanism to ensure it is loaded into memory when the infected computer starts up. It accomplishes this by using registry tricks in an attempt to evade detection. When the new Kovter variant compromises a computer, the Trojan has the ability to reside only in the registry and not maintain a presence on disk. A variant of Kovter ( Trojan.Kotver), first seen in May 2015, looks to be one of the first to incorporate techniques from Poweliks in order to evade detection and remain persistent on the compromised computer. This technique had not been seen before Poweliks ( Trojan.Poweliks) arrived, but it was only a matter of time until other malware authors adopted it. Poweliks made headlines in 2014 as the first persistent, fileless, registry-based malware.
0 kommentar(er)
