Security Experts:

Kovter Trojan Fuels Spike in New Malware Variants

The Kovter Trojan family was responsible for a significant increase in new malware variants in October, a recent report from Symantec reveals.

The number of new unique malware variants jumped to 96.1 million in October, almost twice the number registered in September (50.1 million), and the Kovter family of threats is responsible for this impressive growth, Symantec says. The malware has increased activity since August, when the number of new variants reached 45.4 million, the security company says.

In January last year, the Trojan was observed in a malvertising campaign involving the AOL ad network and affecting major news sites. In July last year, the ad fraud malware was seen updating Adobe Flash Player and Microsoft Internet Explorer on infected systems, most likely in an attempt to keep other malware off those machines.

In April this year, Kovter was observed adding ransomware capabilities. In early July, the threat was being distributed disguised as an update for the popular browser Firefox, and, by the end of that month, its developers packed it with a new persistence mechanism.

However, Kovter wasn’t the only click-fraud Trojan to have fueled a rise in activity in this malware segment. JS.Nemucod, a downloader that usually spreads through malicious email attachments, and which usually drops Kovter onto infected computers, helped in this regard, the same as Kovter-distributing exploit kits and spammers.

October also brought the Mirai botnet to the spotlight after Internet of Things (IoT) devices infected with it were used in powerful distributed denial of service (DDoS) attacks. One of these attacks, targeting DNS provider Dyn, knocked well-known websites, such as Spotify, Twitter, and PayPal offline for many users.

Another noteworthy piece of malware in October was Trojan.Odinaff, which was used by people Symantec has tied to the Carbanak group. The Trojan was used in a series of attacks against financial organizations around the globe. Its operators also launched attacks on SWIFT users, the security company says.

October also marked RIG’s second month at the top of the exploit kit (EK) segment, as it accounted for 37.4% of the entire EK activity observed. Magnitude managed to climb to the second position, with a 45% increase in usage, while RIG’s usage went up by 69%. During the month, Symantec blocked up to 460,000 web attacks per day, an increase from the previous month. This increase isn’t fueled only by an uptick in EK usage, the security company explains.

“Search engines, for example, came under fire in October when a report found that the number of malicious results returned in searches is continuingly growing, with six times as many web page threats found in results in 2016 compared to 2013,” Symantec says.

The U.S. presidential election represented an opportunity for cybercriminals to increase their malware and spam distribution. Helped by election-related spam, the global spam rate reached 54.1%, the highest rate since November 2015.

Spam emails containing malicious Windows Script File (WSF) attachments increased significantly over the past seven months. In October alone, Symantec blocked over 2.2 million such emails distributing the Locky ransomware.

The phishing rate last month dropped to one in 5,313 emails, with Public Administration being hit the most, at one in 2,814 emails. Businesses with 1,501-2,500 employees were targeted the most by phishers during the month: they experienced a rate of 1 in 3,037 emails being a phish attempt.

While Symantec didn’t find new Android malware families in October, the company did notice that the number of Android variants per family went up to 57. “Mobile malware developers seem to be taking more time to improve existing threats rather than creating completely new ones,” the security company says.

view counter