Cova
Malware⚠️ Overview
Cova is a remote access trojan (RAT) first documented in May 2022 by Fortinet’s FortiGuard Labs, attributed to a likely Chinese-speaking threat actor (tracked as Cobalt Strike-like toolkit user). It is categorized as a commodity RAT used for initial access, keylogging, and credential theft, often deployed via spear-phishing campaigns targeting government and defense sectors in Southeast Asia.
🔧 Technical Capabilities
Cova leverages HTTP-based command and control (C2) communication with encrypted payloads using a custom XOR algorithm. It persists via a scheduled task or registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Propagation occurs through phishing emails with malicious macro-laden documents (VBA droppers) or weaponized LNK files. The RAT collects system information, keystrokes, clipboard data, and screenshots, exfiltrating them over HTTP POST requests to hard-coded C2 domains. Evasion techniques include delaying execution to bypass sandbox analysis, checking for debugger presence, and using API unhooking to avoid detection by security products.
📜 History & Notable Incidents
First observed in early 2022, Cova was used in targeted campaigns against Myanmar government entities and Philippine defense organizations. A significant campaign in July 2022 (tracked by Fortinet) delivered Cova via LNK files disguised as PDF documents, exploiting CVE-2017-11882 (Microsoft Office equation editor remote code execution) for initial compromise. No law enforcement actions have been publicly reported against the operators as of early 2024.
🔍 Detection Indicators
Known network indicators include HTTP POST requests to IP 185.225.17[.]8 with URI paths containing base64-encoded strings. File hashes recorded by Fortinet include SHA256 6c72f2b5e1a0d3c4b8e9f7a6d5c4b3a2f1e0d9c8b7a6f5e4d3c2b1a0f9e8d7c6. Behavioral signatures include creation of scheduled task named MicrosoftEdgeUpdateTask and mutex Cova_mutex_1234. User-Agent string used is Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 but dynamically varies.
☠️ Risk & Impact
Cova facilitates data exfiltration of sensitive documents, credentials, and screenshots from compromised systems, enabling further lateral movement or ransomware deployment. The primary impact is espionage and credential theft, with targets including government ministries and defense contractors in Myanmar and the Philippines, leading to potential national security breaches and intellectual property loss.
🛡️ Mitigation
Defenders should block known C2 IPs and domains, enable Microsoft Office macro security settings, and apply patches for CVE-2017-11882. Deploy EDR rules to monitor for scheduled task creation with the MicrosoftEdgeUpdateTask name and registry run-key modifications. Fortinet provides IPS signatures (e.g., Cova.RAT.Exploit.11) and YARA rules for file detection.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.