Kovter Malware

What is Kovter Malware?

Kovter is a fileless malware that attempts to remain invisible and targets the Windows operating system. Kovter avoids detection as it relies on the host registry to store its configuration data, thus avoids traditional endpoint protection (anti-virus) file scanning.

Kovter has also stayed resilient by evolving – from a trojan-based ransomware that scared victims into believing it was the police charging fines for “illegal” internet activity to a click fraud malware and then to a fileless one. These features have made Kovter a mainstay in the Center for Internet Security’s ranking of the most prolific malware over the past few years.

Tracked by Proofpoint since its days as ransomware in 2013, Kovter ad fraud malware has featured in innovative campaigns, from incorporating social engineering tricks to using a then-novel technique to bypass malware sandbox systems. Not limited to email-based distribution, we detected and analyzed a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. Over a period of more than a year, this attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.

As of October 2016, Kovter has been observed in macro-documents and sent via targeted email campaigns, avoiding detection by requiring a recipient to both enable macros and to click on an image within its contents to activate its malicious code.

How to protect your organization from Kovter

  • Look out for red flags: Fileless malware is tough to detect, but as Kovter traverses via PowerShell, checking for unusual PowerShell alerts and monitoring the Task Manager for processes such as mshta.exe or powershell.exe may help.
  • Educate about Phishing: With phishing being the main vector, educate colleagues across the organization about good security hygiene such as checking the sender’s email ID, not auto-downloading attachments and alerting support about emails with a threat or bait.
  • Don’t let your guard down: Ensure that your firewalls, anti-spam filters, anti-virus tools, etc are robust and auto-updated. Employ measures to sandbox emails to limit the damage, if possible. Likewise, check that you have network security controls in place, particularly around shared document repositories like One Drive or Team Sites, as just one weak link can cause malware to spread throughout the organization.
  • In the worst-case scenario of a malware attack ensure that you have an accurate, up-to-date copy of your valuable data to ensure smooth business continuity and seamless disaster recovery. All possible only with a reliable backup and restore solution.


[1] https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing

[2] https://malware.dontneedcoffee.com/2013/03/ransomware-kovter-looking-at-your.html

[3] https://www.proofpoint.com/us/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick

[4] https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-malware-and-fraud

[5] https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf

[6] https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-kovcoreg-kovter-saga

Related Articles

Protection from Email Attachment Malware.

What’s the Difference Between Malware and Viruses?

What’s the Difference Between Spyware and Malware?