Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Fileless Trojan Kovter Poses as Firefox Update

A new version of the Kovter ad Trojan was recently observed to pose as a Firefox update while abusing a legitimate certificate to ensure successful infection.

A new version of the Kovter ad Trojan was recently observed to pose as a Firefox update while abusing a legitimate certificate to ensure successful infection.

Historically, Kovter has been observed employing a variety of techniques to ensure that it can successfully compromise computers and can avoid detection at the same time. Last year, researchers noticed that the malware was patching the Adobe Flash Player and Microsoft Internet Explorer applications on the infected systems, to ensure that other threats are kept out.

A few months ago, Check Point discovered that the malware had been updated with ransomware capabilities: it could encrypt user files, though its main focus remained on evasion rather than encryption. The Trojan avoided detection by storing data on registry for infiltration, penetration, reconnaissance, and persistence, researchers also revealed.

Now, Barkly’s malware research team says that a recent Kovter distribution campaign attempted to trick users into installing the malware masqueraded as a legitimate Firefox browser update. The campaign relied on drive-by-downloads to infect users: as soon as the victim accessed an infected website, they were presented with the fake update, the security firm explained.

Researchers also noticed that this fileless piece of malware, which is capable of hijacking computers, installing remotely upgradable access Trojans, executing click-fraud campaigns, and perform ransomware operations, was abusing a legitimate certificate to ensure that traditional antivirus/endpoint solutions aren’t alerted of its presence.

When executed, the malware would write an embedded and encoded script to different locations in the Windows registry and would leverage PowerShell.exe for its nefarious purposes. The registry key analysis revealed another encoded PowerShell program, and researchers observed that PowerShell was abused to inject shellcode in the system.

Kovter was first seen last year to be performing fileless infection, yet this is only one of the updates that it has received in time. In fact, Barkly’s researchers say that the malware has undergone some major changes in the past few years, and that it can even be remotely reprogrammed with more advanced capabilities.

Advertisement. Scroll to continue reading.

Barkly determined that the legitimate certificate abused in this new attack had been issued by COMODO and informed the Certificate Authority on the issue, so that it could revoke the signature. Moreover, while the new Kovter variant enjoyed zero detection in the first place, antivirus vendors have been updating their coverage and now block it, researchers say.

In the meantime, users can stay protected by avoiding Firefox updates that appear outside of the standard Firefox process. To ensure that they have the latest version of the popular browser, users should head to the About Firefox option in the “Help” menu, which will provide them with information on any available updates and will also offer the possibility to install new versions if necessary.

Users are also advised to install and maintain an anti-malware solution on their computers, which will increase their protection level. They should also keep their software up to date, but should be skeptical of unsolicited or unusual requirements for updates, upgrades, or downloads. Malware authors are constantly seeking new ways to trick users and avoid detection, and even users with knowledge of these tricks might fall victims if they don’t pay enough attention, researchers suggest.

Related: PowerWare Ransomware Abuses PowerShell, Office Macros

Related: Fake Flash Update Serves OS X Scareware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...