The security team at Symantec reported in a security response blog post that a new variant of Kovter malware is incorporating some characteristics of the Poweliks malware that broke onto the scene back in 2015.
Tricks employed by Poweliks, which made a name for itself by being the first persistent, fileless, registry-based malware, are now being used by Kovter, which has been in the wild since 2013 and has continually evolved.
“When the new Kovter variant compromises a computer, the Trojan has the ability to reside only in the registry and not maintain a presence on disk. It accomplishes this by using registry tricks in an attempt to evade detection. The threat is also memory resident and uses the registry as a persistence mechanism to ensure it is loaded into memory when the infected computer starts up, noted the Symantec blog.
The malware is being spread through malverstisement campaigns aimed at adult and news websites. In addition, several exploit kits, including Fiesta, Angler, Nuclear, Neutrino and Sweet Orange have reportedly been in conjunction with the malvertising. The latest method is using spam campaigns.
Because the Kovter family has been continually altered and updated there is no reason to believe the threat will be abandoned any time soon, Symantec said.