Kovter Malware is a file less Trojan that initially infected systems as a police ransomware and later changed its mode of infiltration to a click-fraud malware. It affected systems using rich text format files as attachments in emails to enter the system.
Later, it developed itself as a file less malware and hid itself in the registry of a spawned process to try and connect to various Urls as part of its click-fraud activities. It maintains its file less entity to remain undetected by anti-virus software.
A file less malware is a malicious program that that removes all its traces from the infected system. Powershell script is used to decode a shellcode onto the system that hides itself in the system and does not create any files. Cyber criminals are using the powershell script to create threats which are harder to detect and remove.
The Kovter malware initially enters the system when the user downloads illegal files from unknown sources. It remains in the system and tracks user activity. It gets triggered under a certain set of conditions and is easy to detect and remove.
Kovter Trojan was known as a police ransomware in its earlier days. It targets the ‘illegal activities of the user’ such as surfing adult sites. It demands a fine from the user by showing a fake message from US homeland security, The FBI or the US justice department. Since it keeps track of the user’s activities, it shows a ransom message generated using the tracked user data to make the threat believable.
A ransomware is a computer malware that infiltrates the system through various points of entry namely:
Once the ransomware takes over your system, it encrypts the files and personal data. These files then become inaccessible and a ransom note is displayed. The ransom note demands a specific amount of money to provide the decryption key for the files it has held hostage.
Since Kovter Malware camouflaged itself as a police ransomware people were prone to pay the ‘fine’ to hide their faults, then to tackle this threat head-on.
After a period of time Kovter malware evolved its mode of infiltration to Malware spam emails which contained tainted file attachments with the .7z extension. These email attachment file have an obfuscated Jscript/JavaScript which is the first part of a two part downloader. After this script is launched it downloads the second part of the script.
The downloaded executable file then downloads the main Kovter Malware infection script and stores it in the %TEMP% folder. This script writes a binary code and a javascript code as a ‘random’ entry in the windows registry. This recently created javascript is then launches an instance of the Microsoft HTML application host.
This code then creates a Base64 payload that decodes a powershell script which loads and executes a shellcode in the memory. The Kovter malware is then read and executed and a regsvr32.exe is created in the windows registry. It remains undetected by normal process list inspection since it hides itself in the recently created windows registry process.
The kovter malware adds a call to a batch file which is responsible for its execution from a dormant state after a system reboot. It then deletes its downloaded executable from the %TEMP% to remove its presence from the system and remain file less.
After this malware is active in the PC, it runs many instances of Internet explorer in the background without user permission to perform click-fraud by visiting various websites and clicking on advertisements.
Click – fraud is an activity performed by a malware in the background without user knowledge to click on unknown & unsecured website links. These links can become a gateway for more advanced threats. Click-fraud can be used to generate revenue through pay per click mechanism.
Kovter Malware can also use these to click and download other threats and also update its own malware to remain undetected from anti-virus software. It lowers the security settings of the internet explorer and sends user information to a remote server.
Name – Kovter Malware
Targeted Operating system – Windows XP, Windows Vista, Windows 7, Windows 8.0/8.1, Windows 10
Category – Malware, Ransomware, Trojan
Symptoms – Adds a registry in the windows registry under the regsvr32.exe, infiltrates using .7z file extension, click-fraud without user permission, file less Trojan
STEP A – Remove Kovter Malware From Task Manager.
Task Manager window for Windows 10
Task Manager window for Windows 7
2 Right Click on the Suspicious File and select Open file Location.
3 In the File Location Screen that appears, Right click on the File and click on Delete, to delete the File permanently from the location.
OR
OR
STEP B – Delete Kovter Malware from the Registry File.
STEP C – Update All the Software in your System.
Update your system software
Protect your system with Windows Defender
Hits: 1189
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.