Fileless Malware Poweliks and Kovter

Estimated read time 3 min read

Hey there cyber guardians, today we’re shining our spotlight on two notorious malware that have been causing a ruckus in the cybersecurity scene: Poweliks and Kovter. Both have a well-earned reputation for their evasion tactics, and they’ve caused significant damage to unsuspecting targets. Let’s dive into the mechanics of these threats and discuss how we can fortify our defenses against them.

Poweliks: The Invisible Intruder

First up, we have Poweliks. Its claim to fame? It’s fileless. That’s right, this malware doesn’t need to drop a file on your system to wreak havoc. It cunningly hides in your registry, making it incredibly hard to detect with traditional security tools.

Poweliks generally infiltrates your system through phishing emails or malicious downloads. Once inside, it uses a registry key to store its encoded payload. From there, it launches its attacks, which typically involve data theft or acting as a gateway for other malware.

The impact? Disrupted operations, lost data, and potential breaches of sensitive information. In short, it’s a nightmare.

Read more about Poweliks:

  • Poweliks research by ESET (PDF)
  • Poweliks research by Symantec (PDF 1), (PDF 2)
  • Whitepaper by Speartip (PDF)
  • Whitepaper on Wiley (PDF)

Kovter: The Persistent Prowler

Next, we have Kovter. Similar to Poweliks, Kovter is also fileless, adding an extra layer of difficulty to its detection. It utilizes PowerShell scripts and registry keys to avoid being spotted.

Kovter’s favorite method of entry is through exploit kits or malicious attachments. Once it gains access, it stays put, persisting even after system reboots. Its main gig is click fraud, but it can also serve as a backdoor for additional malware.

The damage? A clear hit on productivity, not to mention the financial losses from fraudulent activities and potential system downtime.

Read more about Kovter:

  • Research by Morphisec (PDF)
  • Presentation on Kovter by Minerva (PDF)
  • Survey and Research on Fileless malware (PDF)
  • Research by Symantec on Kovter and Fileless malware (PDF)

Battling the Invisible: Prevention Strategies

So, how do we protect ourselves from these stealthy threats? Here are some strategies:

  • Keep your systems updated: Software patches often include fixes for vulnerabilities that malware like Poweliks and Kovter exploit.
  • Be wary of emails: Phishing is a common entry point. Double-check sender details and don’t open suspicious attachments.
  • Use advanced security tools: Traditional antivirus might not catch these threats, but solutions with behavior-based detection can.

Tips for Threat Hunters: Tracking the Unseen

On to the threat hunters out there, here’s how you can stay one step ahead:

  • Monitor Registry Entries: Keep an eye on your registry. Unusual entries or modifications could be the sign of a fileless threat.
  • Watch PowerShell Activity: Excessive or unusual PowerShell usage can be a red flag.
  • Analyze Network Traffic: Look for unusual data transmission patterns. These can often indicate a hidden threat.
  • Read reports, and note down the event ids, translate them towards signatures and monitor

These threats may be invisible, but they’re not invincible. By understanding how they work and what to look for, we can hunt them down and keep our systems safe.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author