Kovter Malware - A dangerous and destructive Trojan
Trojan | 05/24/2018

Kovter Malware – A File less malware that keeps evolving!

About: Kovter malware is a highly dangerous Trojan that initially infected systems as a police ransomware. Later, it changed its mode of infiltration to malspam and became a file less Trojan to do click-fraud activities. These unsecured clicks can invite mo...  Read More  

| Trojan | Kovter Malware – A File less malware that keeps evolving!

What is Kovter Malware?

Kovter Malware is a file less Trojan that initially infected systems as a police ransomware and later changed its mode of infiltration to a click-fraud malware. It affected systems using rich text format files as attachments in emails to enter the system.

Later, it developed itself as a file less malware and hid itself in the registry of a spawned process to try and connect to various Urls as part of its click-fraud activities. It maintains its file less entity to remain undetected by anti-virus software.

A file less malware is a malicious program that that removes all its traces from the infected system. Powershell script is used to decode a shellcode onto the system that hides itself in the system and does not create any files. Cyber criminals are using the powershell script to create threats which are harder to detect and remove.

Kovter Malware – Threat Behavior                                                                                                  

The Kovter malware initially enters the system when the user downloads illegal files from unknown sources. It remains in the system and tracks user activity. It gets triggered under a certain set of conditions and is easy to detect and remove.

Kovter Trojan was known as a police ransomware in its earlier days. It targets the ‘illegal activities of the user’ such as surfing adult sites. It demands a fine from the user by showing a fake message from US homeland security, The FBI or the US justice department. Since it keeps track of the user’s activities, it shows a ransom message generated using the tracked user data to make the threat believable.

A ransomware is a computer malware that infiltrates the system through various points of entry namely:

  • Phishing emails – Emails containing attachment files that contain a suspicious code that is executed once the attachment is opened. This downloads the malware in the system.
  • Clicking on unsecured links – Sometimes during internet browsing the user may click on links that may not be secure and lead the malware into their PC.
  • Fake system or Program Updates – A pop-up message about your system needing software updates is sometimes displayed on websites. This is bait created with the sole purpose of providing ransomware entry into the system.

Once the ransomware takes over your system, it encrypts the files and personal data. These files then become inaccessible and a ransom note is displayed. The ransom note demands a specific amount of money to provide the decryption key for the files it has held hostage.

Since Kovter Malware camouflaged itself as a police ransomware people were prone to pay the ‘fine’ to hide their faults, then to tackle this threat head-on.

After a period of time Kovter malware evolved its mode of infiltration to Malware spam emails which contained tainted file attachments with the .7z extension. These email attachment file have an obfuscated Jscript/JavaScript which is the first part of a two part downloader. After this script is launched it downloads the second part of the script.

The downloaded executable file then downloads the main Kovter Malware infection script and stores it in the %TEMP% folder. This script writes a binary code and a javascript code as a ‘random’ entry in the windows registry. This recently created javascript is then launches an instance of the Microsoft HTML application host.

This code then creates a Base64 payload that decodes a powershell script which loads and executes a shellcode in the memory. The Kovter malware is then read and executed and a regsvr32.exe is created in the windows registry. It remains undetected by normal process list inspection since it hides itself in the recently created windows registry process.

The kovter malware adds a call to a batch file which is responsible for its execution from a dormant state after a system reboot. It then deletes its downloaded executable from the %TEMP% to remove its presence from the system and remain file less.

After this malware is active in the PC, it runs many instances of Internet explorer in the background without user permission to perform click-fraud by visiting various websites and clicking on advertisements.

Click – fraud is an activity performed by a malware in the background without user knowledge to click on unknown & unsecured website links. These links can become a gateway for more advanced threats. Click-fraud can be used to generate revenue through pay per click mechanism.

Kovter Malware can also use these to click and download other threats and also update its own malware to remain undetected from anti-virus software. It lowers the security settings of the internet explorer and sends user information to a remote server.

Threat Summary

Name – Kovter Malware

Targeted Operating system – Windows XP, Windows Vista, Windows 7, Windows 8.0/8.1, Windows 10

Category – Malware, Ransomware, Trojan

Symptoms – Adds a registry in the windows registry under the regsvr32.exe, infiltrates using .7z file extension, click-fraud without user permission, file less Trojan

How to remove Kovter Malware From your System?

STEP A – Remove Kovter Malware From Task Manager.

  1. Launch the Task Manager Window by pressing Ctrl+ Shift+ Escape simultaneously. (The task manager window may vary depending on the OS ) OR bring the mouse cursor on the Task Bar (which is present at the bottom of the computer screen), right click on the empty space  and click on Task Manager.

                              Task Manager window for Windows 10

                                             Task Manager window for Windows 7

2 Right Click on the Suspicious File and select Open file Location.

3 In the File Location Screen that appears, Right click on the File and click on Delete, to delete the File permanently from the location.

OR

  1. Open Task Manager window again by following the  steps mentioned above.
  2. Click on the Startup tab.
  3. Select the suspicious entry and click on the Disable button present at the bottom right corner of the window

OR

  1. Open Task Manager window again by following the  steps mentioned above.
  2. Click on Services tab.
  3. Right click on the suspicious entry and click on Stop.

STEP B – Delete Kovter Malware from the Registry File.

  1. Type “Regedit” in search box / Run Box, select it and press Enter.
  2. An authorization dialog box will appear, then you just have to click “Yes”. (The dialog box appearance may vary depending on OS used. For Windows 10 the the dialog box looks like the first screenshot and for windows 7 it appears like the second screenshot)
  3. In the registry editor, take the backup of the current registry settings before making any changes in case you want to revert to old settings later. For this, Click on File option in the menu and select Export. Save the entry at a known location.
  4. From the Menu, Click Edit and Select Find.
  5. Enter Kovter Malware and click Ok in the search box.
  6. Select and delete suspicious  enteries.

STEP C – Update All the Software in your System.

Update  your system software

Windows 7

  1. Click on the Windows icon present in the bottom left corner of the task bar to open up the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel dialog box.
  3. In the Control Panel dialog box click on the ‘View by:’ dropdown at the top right corner of the dialog box and Select the Large Icons
  4. Click on”Windows Update” link.
  5. After Windows Update opens, click “Check for Updates” button.
  6. Once Windows finishes checking for updates, click the “Install now” button.
  7. When the updates have finished installing, restart your computer (if prompted).

Windows 10

  1.  Click on the Search Box and type “Update” (you can also press Windows key + Q to bring up the search bar needed. This shortcut will launch the search function on your system). Windows Update Settings should appear in the results list. Click on it to launch the program.       
  2. Check for the Update Status. If Windows Update says your device is up to date, you have all the updates that are currently available. For more info about updates, click on View installed update history.
  3. Once the system software are updated click on Restart Now button to install the Updated software.


STEP D – Protect your System with Windows Defender.

Protect your system with Windows Defender

Windows 7

  1. Click on the Windows icon present in the bottom left corner of the task bar to open up the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel dialog box.
  3. In the Control Panel dialog box click on the ‘View by:’ dropdown at the top right corner of the dialog box and Select the Large Icons
  4. Click on the Windows Defender icon. This will open the windows defender dialog box.
  5. Click on ‘Check for updates now’ button. It will check for Updated definitions before scanning the system.
  6. Once the Defender is updated click on Scan Now button.
  7. This will take some time to scan the system for threats.
  8. Once the scanning is complete and no threats are found you will be notified with a message ‘No unwanted or harmful software detected’ in a Green Bar.
  9. If threats are found, you are recommended to use an antivirus to keep your system risk free.

Windows 10

  1. Click on the Search Box and type “Defender” (you can also press Windows key + Q to bring up the search bar needed. This shortcut will launch the search function on your system). Windows Defender Settings should appear in the results list. Click on it to launch the program. 
  2. In the Defender window click on Open Windows Defender Security Center button. This will launch  Windows Defender Security Center window.
  3. Click on Virus & Threat Protection icon, from the Windows Defender Security Center window.
  4. In the Virus and Threat Window that appears click on Quick scan button. This will scan the  system for Virus and other threats.
  5. System scan will take some time. Once the scanning is complete and no threats are found you will be notified with a message pop up at the bottom right corner of the window, ‘No threats were found’.
  6. If threats are found, you are recommended to use an antivirus to keep your system risk free


Tips to prevent your computer system from getting infected 

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Avira and Hitman Pro so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 1166

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866