Kovter Malware Victims Were Secret Zombies in the ProxyGate Proxy Network

Posted on

Legitimate proxy software distributed with Kovter malware.

During the past few months, computers infected with the Kovter click-fraud malware were also secretly added to the proxy network operated by ProxyGate, the Forcepoint team reports.

Kovter is one of the oldest malware strains around, one that has adapted to fit various needs and niches, and survived mainly as a click-fraud toolkit, ideal for making a quick buck out of online ads.

A recent spam campaign detected by Forcepoint (formerly Raytheon|Websense) has identified Kovter delivered through file attachments in the form of ZIP files.

When uncompressed, these ZIP files automatically execute a JavaScript file which connects to a Web server and downloads the Kovter malware.

In this specific campaign, Forcepoint saw this auto-download process abusing an Alexa Top 10 site, but also downloading two additional payloads besides Kovter.

One of them is the Miuref adware while the second was a legitimate executable, the ProxyGate installer.

All three files were executed as soon as they finished downloading, and silently installed their payloads on the victim’s machine without any type of user interaction needed.

Spam campaign’s author may have participated in ProxyGate’s referral program

It is yet unknown why the malware operators installed the ProxyGate application on the victim’s PC. This application does nothing malicious on its own and is designed to add the user’s computer to ProxyGate’s network of available proxy servers.

A possible explanation for these strange actions may be ProxyGate’s referral programwhich allows users to boost their own account’s number of free proxies available per day.

The spam campaign’s author may possibly be running other malicious campaigns through ProxyGate’s network and wanted to boost his available proxy output IP addresses by secretly abusing ProxyGate’s referral program by packaging the legitimate installer alongside Kovter’s payload.

This is not the first malware campaign that infected users and added their PC to a proxy network. In the past, the Bunitu and the ProxyBack malware families did the same thing.

Users infected with Kovter, may also want to check their computer’s list of installed applications and check to see if they’re not an unwitting zombie in a ProxyGate’s service.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s