Kovter, a well-known click-fraud malware family, has evolved in recent months, yet again, and this time, crooks are disguising new versions as Firefox updates.
The malware has been around for three years and has always been used mainly for performing ad fraud, silently clicking on ads while you're using your computer.
Last year in September, the malware moved from an on-disk operational mode to an
in-memory (fileless) system that allowed it to bypass several antivirus detection methods.
New Kovter version still uses an in-memory operational mode
It's an evolution of this in-memory Kovter version that security researchers from
Barkly have recently come across.
Distributed via drive-by downloads on hijacked or malicious websites, the malware is hidden inside a fake version of the Firefox browser that gets automatically saved on the user's computers.
Victims that agree to launch this installer will be installing Kovter, which to bypass security software, also uses a valid digital certificate.
