Fileless Trojan Kovter Poses as Firefox Update

A new version of the Kovter ad Trojan was recently observed to pose as a Firefox update while abusing a legitimate certificate to ensure successful infection.

Historically, Kovter has been observed employing a variety of techniques to ensure that it can successfully compromise computers and can avoid detection at the same time. Last year, researchers noticed that the malware was patching the Adobe Flash Player and Microsoft Internet Explorer applications on the infected systems, to ensure that other threats are kept out.

A few months ago, Check Point discovered that the malware had been updated with ransomware capabilities: it could encrypt user files, though its main focus remained on evasion rather than encryption. The Trojan avoided detection by storing data on registry for infiltration, penetration, reconnaissance, and persistence, researchers also revealed.

Now, Barkly’s malware research team says that a recent Kovter distribution campaign attempted to trick users into installing the malware masqueraded as a legitimate Firefox browser update. The campaign relied on drive-by-downloads to infect users: as soon as the victim accessed an infected website, they were presented with the fake update, the security firm explained.

Researchers also noticed that this fileless piece of malware, which is capable of hijacking computers, installing remotely upgradable access Trojans, executing click-fraud campaigns, and perform ransomware operations, was abusing a legitimate certificate to ensure that traditional antivirus/endpoint solutions aren’t alerted of its presence.

When executed, the malware would write an embedded and encoded script to different locations in the Windows registry and would leverage PowerShell.exe for its nefarious purposes. The registry key analysis revealed another encoded PowerShell program, and researchers observed that PowerShell was abused to inject shellcode in the system.

Kovter was first seen last year to be performing fileless infection, yet this is only one of the updates that it has received in time. In fact, Barkly’s researchers say that the malware has undergone some major changes in the past few years, and that it can even be remotely reprogrammed with more advanced capabilities.

Barkly determined that the legitimate certificate abused in this new attack had been issued by COMODO and informed the Certificate Authority on the issue, so that it could revoke the signature. Moreover, while the new Kovter variant enjoyed zero detection in the first place, antivirus vendors have been updating their coverage and now block it, researchers say.

In the meantime, users can stay protected by avoiding Firefox updates that appear outside of the standard Firefox process. To ensure that they have the latest version of the popular browser, users should head to the About Firefox option in the “Help” menu, which will provide them with information on any available updates and will also offer the possibility to install new versions if necessary.

Users are also advised to install and maintain an anti-malware solution on their computers, which will increase their protection level. They should also keep their software up to date, but should be skeptical of unsolicited or unusual requirements for updates, upgrades, or downloads. Malware authors are constantly seeking new ways to trick users and avoid detection, and even users with knowledge of these tricks might fall victims if they don’t pay enough attention, researchers suggest.

Related: PowerWare Ransomware Abuses PowerShell, Office Macros

Related: Fake Flash Update Serves OS X Scareware