New Trojan Resides in Registry

Tuesday, September 29, 2015 @ 07:09 AM gHale

There is a new version of the Kovter Trojan able to exist in a computer’s registry, without needing to be in the hard drive.

Kovter, first spotted in 2013, constantly changes its approach and adapts to new hacking campaigns and security measures put in place, said researchers at Symantec.

Websites a Ransomware Risk
Stealthy Ransomware for Android
Cyber Criminal Minds Working Overtime
Simple, Sophisticated Attacks Growing

Starting with version 2.0.3 of the Kovter malware, first spotted in May this year, the Trojan borrowed survival methods from the Poweliks malware and can hide itself in the PC’s registry, Symantec researchers said.

The registry is a Windows-specific feature, a database of data about user profiles, settings, software, and hardware, which the Windows OS is using on a regular basis.

By storing its code in the registry, Kovter lasts longer on infected machines and serves as an entry point for other more serious infections.

While in the past Kovter has gone out with ransomware, Symantec said that now, in its deadlier form, Kovter only focuses on click-fraud.

As for the way it initially infects users, Symantec said attackers are distributing this new version of Kovter mainly via malvertising campaigns and file attachments in spam email.

In the past, the Angler, Fiesta, Nuclear, Neutrino, and the Sweet Orange exploit kits have spread the malware, so they are likely suspects as well.

In its most recent outbreak, Symantec said the malware has been predominantly infecting users in the U.S. (56 percent), UK (13 percent), Canda (9 percent), Germany (8 percent), and Australia (2 percent).

“The Kovter malware family has continually evolved since it was first discovered and shows no signs of leaving the threat landscape anytime soon,” Symantec said.

To help users infected with the Kovter malware, Symantec is providing the Trojan.Kotver Removal Tool as a free download.