Connect with us

Hi, what are you looking for?


Malware & Threats

Kovter Trojan Fuels Spike in New Malware Variants

The Kovter Trojan family was responsible for a significant increase in new malware variants in October, a recent report from Symantec reveals.

The Kovter Trojan family was responsible for a significant increase in new malware variants in October, a recent report from Symantec reveals.

The number of new unique malware variants jumped to 96.1 million in October, almost twice the number registered in September (50.1 million), and the Kovter family of threats is responsible for this impressive growth, Symantec says. The malware has increased activity since August, when the number of new variants reached 45.4 million, the security company says.

In January last year, the Trojan was observed in a malvertising campaign involving the AOL ad network and affecting major news sites. In July last year, the ad fraud malware was seen updating Adobe Flash Player and Microsoft Internet Explorer on infected systems, most likely in an attempt to keep other malware off those machines.

In April this year, Kovter was observed adding ransomware capabilities. In early July, the threat was being distributed disguised as an update for the popular browser Firefox, and, by the end of that month, its developers packed it with a new persistence mechanism.

However, Kovter wasn’t the only click-fraud Trojan to have fueled a rise in activity in this malware segment. JS.Nemucod, a downloader that usually spreads through malicious email attachments, and which usually drops Kovter onto infected computers, helped in this regard, the same as Kovter-distributing exploit kits and spammers.

October also brought the Mirai botnet to the spotlight after Internet of Things (IoT) devices infected with it were used in powerful distributed denial of service (DDoS) attacks. One of these attacks, targeting DNS provider Dyn, knocked well-known websites, such as Spotify, Twitter, and PayPal offline for many users.

Another noteworthy piece of malware in October was Trojan.Odinaff, which was used by people Symantec has tied to the Carbanak group. The Trojan was used in a series of attacks against financial organizations around the globe. Its operators also launched attacks on SWIFT users, the security company says.

Advertisement. Scroll to continue reading.

October also marked RIG’s second month at the top of the exploit kit (EK) segment, as it accounted for 37.4% of the entire EK activity observed. Magnitude managed to climb to the second position, with a 45% increase in usage, while RIG’s usage went up by 69%. During the month, Symantec blocked up to 460,000 web attacks per day, an increase from the previous month. This increase isn’t fueled only by an uptick in EK usage, the security company explains.

“Search engines, for example, came under fire in October when a report found that the number of malicious results returned in searches is continuingly growing, with six times as many web page threats found in results in 2016 compared to 2013,” Symantec says.

The U.S. presidential election represented an opportunity for cybercriminals to increase their malware and spam distribution. Helped by election-related spam, the global spam rate reached 54.1%, the highest rate since November 2015.

Spam emails containing malicious Windows Script File (WSF) attachments increased significantly over the past seven months. In October alone, Symantec blocked over 2.2 million such emails distributing the Locky ransomware.

The phishing rate last month dropped to one in 5,313 emails, with Public Administration being hit the most, at one in 2,814 emails. Businesses with 1,501-2,500 employees were targeted the most by phishers during the month: they experienced a rate of 1 in 3,037 emails being a phish attempt.

While Symantec didn’t find new Android malware families in October, the company did notice that the number of Android variants per family went up to 57. “Mobile malware developers seem to be taking more time to improve existing threats rather than creating completely new ones,” the security company says.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.