Security Alert
Barkly Research
Jul 2016

New Strain of Fileless Malware Kovter Posing as Firefox Update

Key Details

  • New variant of Kovter, a malware family known for click-fraud and occasional ransomware, has been disguised as Firefox update
  • Malware authors were able to sign the malware with a valid digital certificate, which helps it bypass security software

  • Barkly not only detected, but also stopped the malware despite the fact it had never been seen before

  • empty
  • empty
  • empty
  • empty
  • empty

Late last week, we received an alert indicating malicious behavior on one of our Early Access users’ systems. Upon further investigation, it was determined the user had been protected from a drive-by-download — after visiting an infected website they had been tricked into installing malware that was masquerading as a legitimate Firefox browser update.

Analyzing the malware, we discovered it was a new variation of Kovter, a malware family known for hijacking computers, installing remotely upgradable access trojans, executing click-fraud campaigns, and even executing some ransomware.

What makes this new variant particularly nasty is that it's the later fileless version of Kovter, and it's now using an apparently legitimate certificate (see below). That's bad news because a legitimate certificate causes plenty of traditional antivirus/endpoint solutions to give the software a pass.

kovter_certificate.png


Mitigatation and prevention

In this user’s case, we were able to stop the attack before it could do any damage. And the good news is if you have Barkly installed and protection turned on, you’ll be covered against this attack (and other attacks like it), too.

That's true even if attackers make additional changes in an attempt to disguise future iterations, because Barkly doesn’t need to recognize specific malware signatures in order to detect them and stop them from doing harm. It simply watches malware’s behavior as it attempts to execute, and shuts it down when it sees it trying to do something it shouldn’t.

Since we first discovered this particular strain of Kovter antivirus vendors are starting to update their coverage to block it, as well. What makes that really exciting is that we were able to kick-start this expansion of protection without any harm coming to the “patient zero” who first suffered the attempted attack.

We’ve also reported the signature abuse to COMODO so they can look into revoking the certificate.

What you can do now

In the meantime, encourage your users not to install any Firefox updates outside of the standard Firefox process. To stay updated, users simply select the Firefox “Help” menu and choose the “About Firefox” option. Firefox will automatically check to see if the user’s browser is up-to-date and provide a method for getting an update if necessary.

Deeper dive

When we performed a post-mortem analysis, we searched for the hash (and various other file attributes) in various community resources, but we could not find a reference to the file itself. This was a previously unknown sample, which, after some analysis, we attributed as Kovter.

You can see the sample information we uploaded to VirusTotal here.

As it executed, the malware wrote an embedded and encoded script in various locations in the Windows registry that would execute PowerShell.exe. After we decoded the registry key, we found... another encoded Powershell program! Eventually, we saw PowerShell being used to inject shellcode in the system. By comparing the decryption loop to this Kovter write-up, we confirmed this was most likely a Kovter variant.

Kovter has undergone some major changes in the past few years. As Cyberreason recently observed, the malware can be remotely reprogrammed with more advanced capabilities.   

Additional tips for preventing attacks

Good user education can generally go a long way to reducing attacks, but as this particular attack demonstrates, even the best of us can be tricked into installing something that appears to be legitimate, or accidentally doing something we wish we could undo.

That makes good security hygiene all the more important. If you haven’t already, it’s a smart idea to adopt the following habits:

  • Limit your users’ access and privileges
  • Keep your software patched and up-to-date, including your antivirus
  • Encourage your users to be skeptical of unsolicited or unusual requirements for updates, upgrades, or downloads

As this new Kovter variant shows, malware is increasingly using sophisticated methods when hiding from the operating system and traditional security tools. That’s why we’re using our new form of behavior-based analytics to improve the protection of traditional security solutions like antivirus.

While no single solution is a silver bullet, with the right layers of security tools and practices in place you can protect your users from threats like this — even if they’ve never been seen before.

Learn more and try Barkly out by signing up for a free trial. It's free for 15 days!

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.