Kovter, the click-fraud trojan first detected in 2015, is back with a brand-new trick. The malware has moved its disk-based residency into memory and the registry, in hopes of evading standard antivirus (AV) detection. This new fileless infection capability is a significant evolution for Kovter.
The Cylance Threat Research Group recently analyzed the new infection method used by Kovter. Our research uncovered a potential design misstep which appears early in the malware’s delivery process.
Kovter arrives as an email attachment compressed by 7-zip (.7z) instead of the common .zip compression which Microsoft Windows® can open natively. Those who do not have 7-zip installed are prompted by Windows to select a program for opening the infected attachment. This interruption in the infection process gives users the opportunity to reexamine the situation, which may diminish the overall success rate of Kovter.
The executed shellcode calls Kovter’s encrypted payload from the second infected registry entry. Kovter’s payload then launches and injects itself into a regsvr32.exe process. At this point the malware has successfully (Read more...)
This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog