Background

During a recent talk by a representative of MalwareBytes, it was discussed that several modern malware families, notable Poweliks, Phase Bot and Kovter are moving away from the file system and are instead establishing persistence in the registry of the host. This blog outlines the infection vector used by the kovter malware and the analysis method used to investigate it.