Security Experts:

Ad Fraud Trojan Kovter Patches Flash Player, IE to Keep Other Malware Out

The ad fraud Trojan known as Kovter has been updating Adobe Flash Player and Microsoft Internet Explorer on infected systems, most likely in an effort to keep other malware out.

The French security researcher known as Kafeine discovered this new Kovter trick when he noticed that some of his virtual machines were attempting to download the latest version of Flash Player.

Adobe released Flash Player version 18.0.0.194 on June 23 in order to patch a critical vulnerability (CVE-2015-3113) that had been exploited by malicious actors in targeted attacks by an APT group. Within one week after Adobe released the patch, the exploit for this security bug was integrated into several exploit kits, including Angler, Magnitude, Neutrino, RIG and Nuclear Pack.

While some cybercriminals are hoping that systems running Flash Player will remain unpatched for as long as possible to allow them to carry out their operations, others seem to be closing the door behind them.

Kafeine says he noticed Kovter trying to update Flash Player to version 18.0.0.194 on June 29. The researcher believes the attackers are probably patching systems to prevent additional infections via drive-by attacks.

Malware that patches infected systems is not unheard of. For instance, the Betabot Trojan’s control panel allows botnet operators to command bots to tweak some settings on the infected machine to prevent future infections via exploit kits. However, in the case of Kovter, Kafeine says the timing is interesting.

“An exploit get its way to almost all exploit kits in a matter of days, and owners of a big adfraud botnet decide to fix the issue on their ‘fleet’​ almost as fast. I find this fast action/rection interesting,” Kafeine told SecurityWeek.

According to the expert, Flash Player is not the only piece of software that Kovter attempts to patch on infected devices. The malware also updates the Internet Explorer web browser to the latest version available for the infected system. The IE updates patch CVE-2013-2551 and CVE-2014-6332, two vulnerabilities that are often targeted by exploit kits.

The researcher says both IE and Flash Player are updated from official domains of Microsoft and Adobe, respectively.

Kafeine first spotted this Kovter variant being delivered by the Fiesta kit via an Internet Explorer exploit. However, the expert has pointed out that since the ad fraud Trojan is being distributed in affiliate mode, it can be dropped via any vector, including any exploit kit.

The researcher noticed Kovter also being served by the Angler, Nuclear Pack, and Neutrino exploit kits.

Ad fraud campaigns rely on malware such as Kovter to get infected computers to “click” on online advertisements and generate revenue for the websites that host the ads. Kovter was recently involved in a malvertising campaign that hit several major websites.

Kafeine says this piece of malware has evolved a great deal over the past period, currently being at version 2.0.3.5.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.