Installing fake Critical Chrome Update drops Kovter.C malware on a computer
Critical Chrome Update is a malicious ad that might emerge on your screen after clicking on one of Traffic Junky ads. This ad network is known to be serving promotional content on adult-only websites, and therefore visitors of these domains fell victims to KovCoreG malvertising attack that pushed Kovter.C Trojan to victims’ computer.
Cybercriminals managed to compromise Traffic Junky ad network which serves ads via popular adult-oriented sites such as Pornhub. As a consequence, deceptive ads were served through common web pages and infected unsuspecting users with click-fraud malware known as Kovter Trojan.
Research reveals that the attack chain starts with a redirect from advertisingms[.]com domain which corrupts the final link and throws the victim to a compromised malware-serving site. According to Proofpoint, this domain “inserts a call hosted behind KeyCDN,” which happens to be a giant content delivery network.
Critical Chrome Update scam suggests installing an update for the popular web browser, however, instead of updating the browser, it drops a ZIP archive that contains a runme.js file. Once executed, it addresses the server responsible for the social engineering attack. The .JS file the downloads two files to victim’s computer – .flv and .mp4 format file.
FLV file consists of three random digits, and the rest of them belong to an RC4 key. The MP4 record is encrypted with this key and hex-encoded. The MP4 file also stores a Powershell script that contains shellcode used to download and execute AVI file (Kovter virus).
Once executed, Kovter virus establishes itself into Windows Registry rather than dropping some files on the system. This way, the malicious software attempts to avoid detection. Besides, the virus sets up specific autorun entries, which runs the malware as soon as the victim starts the computer.
The malware operates silently, and the only noticeable problem is a slight decrease of computer’s performance. However, the majority of users might not suspect anything if they do not have anti-malware programs installed on their PCs.
Avoid malware-laden ads while browsing the Internet
Although cybercriminals use various techniques to trick victims into clicking on malicious advertisements, the method that is based on fake “updates” is actually very common and can be recognized easily. For example, the infamous Bad Rabbit ransomware was also pushed via counterfeit ads that appeared on legitimate websites previously hacked by cybercriminals.
Dieviren.de team says that the trick to avoid installing the malicious Critical Chrome Update or Urgent Chrome Update, as well as malware delivered via deceptive versions of Flash Player or other well-known programs is to never install updates from random Internet sites.
Despite that the ad looks legit and includes official logos of the promoted software, you should never rely on it. If you suspect that you need an update for Chrome – simply visit the official browser’s developers’ site and check whether there is an update available.
Remove Critical Chrome Update virus (Kovter.C)
If you were redirected to a site containing Critical Chrome Update virus, close the web page immediately. If it downloaded the malicious ZIP file to your computer automatically, do not open it and delete it as soon as possible. However, if you launched the deceptive record, run anti-malware software as soon as you can (ideally, do it after performing a clean system boot).
To finish Critical Chrome Update removal, update your anti-malware software and scan your computer several times. It is essential to delete Kovter Trojan as soon as possible as it can perform series of illegal activities on your computer.
To remove Critical Chrome Update virus, follow these steps:
Remove Critical Chrome Update using Safe Mode with Networking
Restart your PC in Safe Mode (use clean boot method) and run an up-to-date anti-malware tool to identify and remove Kovter malware dropped by Critical Chrome Update virus.
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Critical Chrome Update
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Critical Chrome Update removal.
If your ransomware is blocking Safe Mode with Networking, try further method.