Cybereason Lab Report: Operation EscalationFortune 500 Companies Put at Risk by an Evolving Kovter Malware Campaign

Share Article

Kovter malware is becoming more and more prevalent in networks of Fortune 500 companies.

Cybereason today announced that researchers from Cybereason Lab have discovered that hackers are upgrading the ubiquitous Kovter malware to provide them with access to the computer networks of Fortune 500 companies.

Named Operation Escalation, Cybereason discovered that highly prevalent click-fraud and adware tools, once installed in corporate environments, are upgraded by hackers into more malicious software. This provides the hackers with complete control over high-valued corporate assets, which are later sold over the dark Web to nation-states, groups engaged in financial cyber crime or hacktivist gangs.

Today, security teams consider commodity-based click-fraud and adware programs low-risk threats, especially when compared to zero-day vulnerabilities and ransomware threats. However, Cybereason Lab’s Operation Escalation discovery reminds companies they shouldn’t dismiss these threats. As hackers look to monetize their assets, low-risk threats are successfully utilized as conduits into larger companies. Access to these high-value targets demands more money on the black market.

“Commodity threats have the potential to evolve into sinister tools, forcing enterprises to reconsider how they handle these programs. Simply put, enterprises can no longer disregard seemingly benign programs that have infected their network since they can be used as a backdoor into corporate networks,” said Israel Barak, CISO and Cybereason incident response director. “Overworked security teams have to prioritize their workloads and often choose to disregard threats they believe will have a limited impact on the organization. Security teams cannot be expected to eradicate all low-level threats due to their high prevalence on user machines. But they should develop an approach to track if low-level threats evolve into a higher risk programs and be able to eradicate these cases.”

Operation Escalation findings also suggest:

●    Cyber-crime groups are getting better at analyzing where their broadly distributed malware, like adware and clickbait software, have been installed. These groups can spot when their tools are installed in corporate environments, turning them into high-value assets since they can serve as a conduit into a company’s environment.

●    Many commodity malware tools have broad remote tasking capabilities, providing their operators with a wide range of options to upgrade their capabilities, based on the initial infection location.

●    Cyber criminals are looking to monetize assets already installed in a corporate environment, typically by upgrading them to function as access points into the organization and selling them to organizations that execute APTs, such as nation-states, groups engaged in financial cybercrime or cyber espionage and hacktivist gangs.

To read more about Operation Escalation and learn how to protect against evolving low-level threats, download the report.

Cybereason is one of the fastest growing global cybersecurity companies and has received many awards and accolades since it launched its detection and response platform in 2014. Most recently, SC Magazine named Cybereason ‘Rookie Security Company of the Year’ at the 2016 SC Awards Dinner. In addition, Infosecurity Products Guide named CEO Lior Div ‘2016 CEO of the Year.’ Computer Reseller News named Cybereason’s Detection and Response Platform one of 30 cool products launched at the 2016 RSA Conference. And Dark Reading named the company one of the ‘20 Cyber Security Startups to Watch in 2016.’

About Cybereason:
Founded by members of the Israeli intelligence agency’s elite cyber security Unit 8200, the Cybereason platform mirrors the founder’s expertise in handling some of world’s most complex hacking operations. The Cybereason Detection and Response Platform leverages big data, behavioral analytics and machine learning to uncover, in real-time, complex cyber-attacks designed to evade traditional defenses. It automates the investigation process, connects isolated malicious events and visually presents a full malicious operation. The platform is available as an on premise solution or a cloud-based service. Cybereason is privately held and headquartered in Boston, MA with offices in Tel Aviv, Israel and Tokyo, Japan.

For more information, please visit:


Media Contact:
Bill Keeler
Director, Public Relations, Cybereason
(508) 414-7755 (cell)

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Keeler
Cybereason Inc.
+1 (929) 259-3261
Email >
Visit website