Evolving Kovter Malware Campaign Puts Fortune 500s At Risk

Cybereason today announced that researchers from Cybereason Lab have discovered that hackers are upgrading the ubiquitous Kovter malware to provide them with access to the computer networks of Fortune 500 companies.

Named Operation Escalation, Cybereason discovered that highly prevalent click-fraud and adware tools, once installed in corporate environments, are upgraded by hackers into more malicious software. This provides the hackers with complete control over high-valued corporate assets, which are later sold over the dark Web to nation-states, groups engaged in financial cyber crime, or hacktivist gangs.

Today, security teams consider commodity-based click-fraud and adware programs  low-risk threats, especially when compared to zero-day vulnerabilities and ransomware threats. However, Cybereason Lab’s Operation Escalation discovery reminds companies they shouldn’t dismiss these threats. As hackers look to monetize their assets, low-risk threats are successfully utilized as conduits into larger companies. Access to these high-value targets demands more money on the black market.

“Commodity threats have the potential to evolve into sinister tools, forcing enterprises to reconsider how they handle these programs. Simply put, enterprises can no longer disregard seemingly benign programs that have infected their network since they can be used as a backdoor into corporate networks,” said Israel Barak, CISO and Cybereason incident response director. “Overworked security teams have to prioritize their workloads, and often choose to disregard threats they believe will have a limited impact on the organization. Security teams cannot be expected to eradicate all low-level threats due to their high prevalence on user machines. But they should develop an approach to track if low-level threats evolve into a higher risk programs and be able to eradicate these cases.”

Operation Escalation findings also suggest:

  • Cyber-crime groups are getting better at analyzing where their broadly distributed malware, like adware and clickbait software,  have been installed. These groups  can spot when their tools are installed in corporate environments, turning them into high-value assets since they can serve as a conduit into a company’s environment.
  • Many  commodity malware tools have broad remote tasking capabilities, providing their operators with a wide range of options to upgrade their capabilities, based on the initial infection location.
  • Cyber criminals are looking to monetize assets already installed in a corporate environment, typically by upgrading them to function as access points into the organization and selling them to organizations that execute APTs, such as nation-states, groups engaged in financial cybercrime or cyber espionage and  hacktivist gangs.

To read more about Operation Escalation and learn how to protect against  evolving low-level threats, download the report

Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.