Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/24/2016
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Kovter Trojan Variant Spreading Via Targeted Email Campaign

The authors of a malware sample that has been around for more than two years have yet another trick for distributing it.

The Kovter malware sample that has infected systems around the world for the past couple of years is proving to be a case study in how threat actors constantly tweak their malware to keep one step ahead of the defenders.

Trojan Kovter surfaced about two years ago as a screenlocker and scareware sample masquerading as a law enforcement tool. Since then it has been used in click-fraud and malvertising campaigns, as data-encrypting ransomware, and a malware installation tool.

Kovter’s authors have used a variety of ways to distribute the malware, to avoid detection, and to gain persistence on infected systems. For instance, Kovter is among the first file-less malware tools that resides only in memory and runs from the system registry rather than the disk to evade detection by file-based malware detection products. It also has been seen masquerading as Firefox and Chrome updates and as a JavaScript downloader.

This week, security firm Morphisec reported yet another tweak to the malicious software.  Over a period of four days last week, Morphisec said it identified multiple malicious macro-based documents delivering Kovter via targeted emails.

“Compared to the previous wave in July-August, where it was delivered as Chrome or Firefox update or as a zip file, this time it came as a macro with click-based activation documents,” says Michael Gorelik, vice presient of research and development at Morphisec.  “It was not enough to enable the macro content, the user needed to also click on the image inside the macro,” Gorelik said of a Kovter sample recovered from one of the company’s customers.

The new approach allows the malware to bypass security sandbox approaches that are based entirely on macro enablement alone. The macro writers also added a restriction password on image edit to prevent the sandbox from automatically mapping the macro procedures to be activated, Gorelik said in a technical analysis of the malware.

The modified macro with the click-based execution is not the only feature that’s new in the Kovter sample that Morphisec analyzed last week. In the latest attack, the threat actors behind the campaign also used highly targeted emails to try and lure users into interacting with the macro.

Examples of the targeting included the threat actors approaching potential victims using their actual names, job titles, and company names, Gorelik says.

“Monitoring the latest campaigns, we found the often-used 'invoice/bill' email pattern,” he said in the technical analysis of the malware.

The subject and content in many of the targeted emails purport to inform the victim about an invoice that is due or a payment that needs immediate attention. As with many spear-phishing campaigns, the content in the emails is designed to convey a sense of urgency and threats of dire consequences for failure to act.

Related stories

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.