ACG-CYBER SECURITY BULLETIN NO 128 UNDERSTANDING THE RISK OF KOVTER TROJAN
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
The Kovter infection is a trojan that performs click-fraud while running on a computer. This infection is typically installed via exploit kits found on hacked web sites or trojan downloaders like Nemucod. When Kovter is installed, the actual infection is stored in the Windows registry rather than as a file on a hard drive. This method of storing the malware files in the registry rather than the hard drive makes it more difficult for antivirus programs to properly detect it.
The Trojan Kovter virus is distributed through several means. Malicious websites, or legitimate websites that have been hacked, can infect the machine through exploit kits that use vulnerabilities on the computer to install this Trojan without the permission or knowledge of the computer user.
Kovter usually arrives in mail attachments as a Macro in a Word document file. When activated, the Macro downloads a file that creates a PowerShell command stored in the registry to gain persistence. Then the randomly named file deletes itself.
Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. Cyber-criminals spam out an email with forged header information, tricking the victim into believing that it is from a shipping company like DHL or FedEx. The email tells the victim that they tried to deliver a package, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you cannot resist being curious as to what the email is referring to and open the attached file (or click on a link embedded inside the email) and with that, your computer is infected with the Trojan Kovter virus.
To avoid this, netizens should be cautious in visiting web pages with malicious code, for this will disallow the attacker to compromise through the infected system. Be careful in supplying personal information, unless it is a site which can be trusted, do not give personal address, password, or credit card information. It is best to install security software with warning signals for the detection of malicious software
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of Kovter trojan, to wit:
- Always update the anti-virus software installed in your computer and conduct regular full scanning at least once a week;
- Enable pop-up blocker;
- Install a powerful ad-blocker for Chrome, Mozilla and Internet Explorer;
- Do not open e-mail attachments or hyperlinks you receive from an unknown sender or they could contain malware;
- Clean your Windows Registry; and
- Be cautious about unsolicited attachments.
For additional information, please refer to the following websites:
POINT OF CONTACT