Barkly, a computer security firm, had one of its installations sound an alarm due to a new Firefox malware.

It was obvious that a drive-by attempt had been made in an effort to breach the system. A user clicked on a link or visited the wrong site and the malware took advantage — a relatively standard path.

But as SecurityWeek stated, it was the payload of this Firefox malware that was of interest. Even though Barkly prevented the breach, it wasn’t able to distinguish what the attacker was trying to deliver. The malware disguised itself as an update to the Firefox browser that needed a click to activate but otherwise looked normal.

Now for Something Completely Different

Barkly’s analysis of the payload allowed the researchers to finally identify it. The examination revealed that the threat was actually a new variation of the Kovter malware, which made a name for itself by hijacking machines and executing remote, sophisticated campaigns.

“What makes this new variant particularly nasty,” the blog states, “is that it’s the later, fileless version of Kovter, and it’s now using an apparently legitimate certificate. That’s bad news because a legitimate certificate causes plenty of traditional antivirus/endpoint solutions to give the software a pass.”

That use of a legitimate certificate means security products will likely be fooled by the Firefox malware, allowing it to get one step closer to potential victims; it will look like any other Firefox update to the user.

Working Around the Firefox Malware

The good news is that there are ways to work around this malware. For example, if users only update their browsers on demand, any update that appears unrequested should not be installed.

But Firefox also has something called the update channel that automatically delivers upgrades to the user. Many people use this option and, as a result, expect updates to happen without requesting them.

The simplest way to deal with this problem is to turn off automatic updates. Those who want that feature should always verify whether the update is real. Firefox will manually check for updates when requested: If the browser says it is up to date when the user checks, then the upgrade should be discarded.

This method of disguise may become more prevalent for malware as cybercriminals search for new installation techniques. Luckily, simple checks and security measures can defeat it.

UPDATE, 7/13/16, 10:34 a.m. EDT: A Mozilla spokesperson has contacted Security Intelligence with the following statement:

“It is critically important that users keep Firefox up to date to make sure they have the latest security fixes. Automatic updates are the best way to do that. In order to better protect users, Firefox automatically updates itself in the background, so there is no need for users to download updates themselves. We strongly advise that users not disable automatic updates in Firefox.”

more from

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…