Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Ad Fraud Trojan Kovter Patches Flash Player, IE to Keep Other Malware Out

The ad fraud Trojan known as Kovter has been updating Adobe Flash Player and Microsoft Internet Explorer on infected systems, most likely in an effort to keep other malware out.

The French security researcher known as Kafeine discovered this new Kovter trick when he noticed that some of his virtual machines were attempting to download the latest version of Flash Player.

The ad fraud Trojan known as Kovter has been updating Adobe Flash Player and Microsoft Internet Explorer on infected systems, most likely in an effort to keep other malware out.

The French security researcher known as Kafeine discovered this new Kovter trick when he noticed that some of his virtual machines were attempting to download the latest version of Flash Player.

Adobe released Flash Player version 18.0.0.194 on June 23 in order to patch a critical vulnerability (CVE-2015-3113) that had been exploited by malicious actors in targeted attacks by an APT group. Within one week after Adobe released the patch, the exploit for this security bug was integrated into several exploit kits, including Angler, Magnitude, Neutrino, RIG and Nuclear Pack.

While some cybercriminals are hoping that systems running Flash Player will remain unpatched for as long as possible to allow them to carry out their operations, others seem to be closing the door behind them.

Kafeine says he noticed Kovter trying to update Flash Player to version 18.0.0.194 on June 29. The researcher believes the attackers are probably patching systems to prevent additional infections via drive-by attacks.

Malware that patches infected systems is not unheard of. For instance, the Betabot Trojan’s control panel allows botnet operators to command bots to tweak some settings on the infected machine to prevent future infections via exploit kits. However, in the case of Kovter, Kafeine says the timing is interesting.

“An exploit get its way to almost all exploit kits in a matter of days, and owners of a big adfraud botnet decide to fix the issue on their ‘fleet’​ almost as fast. I find this fast action/rection interesting,” Kafeine told SecurityWeek.

According to the expert, Flash Player is not the only piece of software that Kovter attempts to patch on infected devices. The malware also updates the Internet Explorer web browser to the latest version available for the infected system. The IE updates patch CVE-2013-2551 and CVE-2014-6332, two vulnerabilities that are often targeted by exploit kits.

Advertisement. Scroll to continue reading.

The researcher says both IE and Flash Player are updated from official domains of Microsoft and Adobe, respectively.

Kafeine first spotted this Kovter variant being delivered by the Fiesta kit via an Internet Explorer exploit. However, the expert has pointed out that since the ad fraud Trojan is being distributed in affiliate mode, it can be dropped via any vector, including any exploit kit.

The researcher noticed Kovter also being served by the Angler, Nuclear Pack, and Neutrino exploit kits.

Ad fraud campaigns rely on malware such as Kovter to get infected computers to “click” on online advertisements and generate revenue for the websites that host the ads. Kovter was recently involved in a malvertising campaign that hit several major websites.

Kafeine says this piece of malware has evolved a great deal over the past period, currently being at version 2.0.3.5.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.