Wednesday, November 2, 2016

Click Fraud Malware: Kovter

In recent years, the threat caused by click fraud malware has grown exponentially.  The Association of National Advertisers estimate this threat will defraud advertisers of approximately $7.2 billion dollars in 2016 alone.  While there are many different types of click fraud malware, Kovter is one of the more virulent.  
With giant campaigns that affect hundreds of thousands, this malware continues to evolve to remain effective.  The actors behind this malware take great pride in their ability to conceal and encrypt their malware.  Recent research has shed light on the mechanism Kovter uses to configure their malware.  These findings have uncovered some of their command and control structure allowing Wapack labs to sinkhole one of their C2 domains.

Publication Date:                      1, October 2016
Handling requirements:           Traffic light protocol (TLP) GREEN
Actor type:                                 Adversary capabilities have been assessed as Tier II*
Past Reporting:                          RSA - DOC 9202

*Practitioners with a greater depth of experience, with the ability to develop their own tools (from publicly known vulnerabilities).
The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or
About Wapack Labs
Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.