Security Experts:

Connect with us

Hi, what are you looking for?



Kovter Trojan Gets New Persistence Mechanism

The actor behind the Kovter Trojan has come up with a new persistence mechanism over the past weeks and also started masquerading the malware as a Chrome update, Microsoft security researchers warn.

The actor behind the Kovter Trojan has come up with a new persistence mechanism over the past weeks and also started masquerading the malware as a Chrome update, Microsoft security researchers warn.

It’s a well-known fact that cybercriminals are constantly updating their malicious applications to ensure increased efficiency, and the people behind Kovter have been very active in this regard over the past several months: in April, they added ransomware capabilities to this file-less Trojan, while starting to masquerade it as a Firefox update several weeks ago.

Now, Microsoft Malware Protection Center (MMPC) researchers reveal that the actor has updated Kovter’s persistence method and that they also observed changes in the latest campaigns associated with this threat. The new persistence method, spotted for the first time last month, makes remediation more difficult for antivirus software, researchers say.

Kovter, already known for its file-less infection capabilities, generates and registers a new random file extension upon installation, and also defines a new shell open verb to handle this specific extension. For that, the malware sets specific registry keys, which ensure that the malicious Kovter command contained in the registry key is executed via the shell extension open verb each time a file with that custom file extension is opened.

As Duc Nguyen, MMPC, explains, all “Kovter needs to do to run on infected machines is open a file with their custom file extension […] – causing the malicious shell open command to run. This in turn runs a command using mshta.”

Although a clean tool, mshta is abused by Kovter for the execution of malicious JavaScript designed to load the main payload from another registry location. To ensure that this shell open command is triggered on a regular basis, the Trojan drops a series of garbage files with its custom file extension in different locations, Nguyen explains. Given that the malicious code is contained within the shell open verb registry key, the content of these garbage files isn’t important.

To complete the installation process, the malware sets up the auto-start mechanism that would automatically open these files, and it uses both a shortcut file and a batch (.bat) file for this. The shortcut (.lnk) pointing to the garbage file is dropped in the Windows startup folder. When using a batch script file (.bat), which is dropped in a randomly generated folder, Kovter sets a registry run key to execute it (the .bat will run the garbage file to execute the malicious shell open verb).

“Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change,” the MMPC researcher explains.

Other changes observed in Kovter over the past couple of months include the distribution through a fake Chrome browser update. Previously, the Trojan was pretending to be an Adobe Flash or a Firefox update. What’s more, the malware is now using a series of new digital certificates, which ensure a higher infection rate.

According to Microsoft, each time the Kovter actors release a new wave of samples that have been signed with a new certificate, there is a spike in successful infections. Telemetry data shows that some of the latest updates to the Trojan were made on around May 21, June 14, and in the first week of July.

To stay protected, users are advised to download and update applications only from their original and trusted websites. They should also install and maintain an anti-virus program to ensure that infection attempts are prevented before they could do any harm.

Related: Ad Fraud Trojan Kovter Patches Flash Player, IE to Keep Other Malware Out

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...