Discover and read the best of Twitter Threads about #Kovter
Most recents (2)
Malicious HTML applications (.hta) hosted on compromised websites continue to plague the Internet, delivering malware payloads like #Kovter, which is known for its #fileless persistence techniques. Just this year, we’ve blocked these threats on almost 1M machines.
These malicious HTML applications typically use the file name FlashPlayer.hta. Newer versions use microsoft-patch.hta as a social engineering tactic and an attempt to avoid detection. Apart from file name, though, no other apparent update in the code.
#WindowsDefenderAV stops the attack kill chain using generic, behavioral, and contextual detections. It also leverages #AMSI to inspect PowerShell and other script types, even with multiple layers of obfuscation.
