New Kovter Trojan Variant Spreading Via Targeted Email CampaignNew Kovter Trojan Variant Spreading Via Targeted Email Campaign
The authors of a malware sample that has been around for more than two years have yet another trick for distributing it.
October 24, 2016
The Kovter malware sample that has infected systems around the world for the past couple of years is proving to be a case study in how threat actors constantly tweak their malware to keep one step ahead of the defenders.
Trojan Kovter surfaced about two years ago as a screenlocker and scareware sample masquerading as a law enforcement tool. Since then it has been used in click-fraud and malvertising campaigns, as data-encrypting ransomware, and a malware installation tool.
This week, security firm Morphisec reported yet another tweak to the malicious software. Over a period of four days last week, Morphisec said it identified multiple malicious macro-based documents delivering Kovter via targeted emails.
“Compared to the previous wave in July-August, where it was delivered as Chrome or Firefox update or as a zip file, this time it came as a macro with click-based activation documents,” says Michael Gorelik, vice presient of research and development at Morphisec. “It was not enough to enable the macro content, the user needed to also click on the image inside the macro,” Gorelik said of a Kovter sample recovered from one of the company’s customers.
The new approach allows the malware to bypass security sandbox approaches that are based entirely on macro enablement alone. The macro writers also added a restriction password on image edit to prevent the sandbox from automatically mapping the macro procedures to be activated, Gorelik said in a technical analysis of the malware.
The modified macro with the click-based execution is not the only feature that’s new in the Kovter sample that Morphisec analyzed last week. In the latest attack, the threat actors behind the campaign also used highly targeted emails to try and lure users into interacting with the macro.
Examples of the targeting included the threat actors approaching potential victims using their actual names, job titles, and company names, Gorelik says.
“Monitoring the latest campaigns, we found the often-used 'invoice/bill' email pattern,” he said in the technical analysis of the malware.
The subject and content in many of the targeted emails purport to inform the victim about an invoice that is due or a payment that needs immediate attention. As with many spear-phishing campaigns, the content in the emails is designed to convey a sense of urgency and threats of dire consequences for failure to act.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
The State of Supply Chain Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment