Kovter trojan patches Flash Player, IE to close the door to other infections

Security researcher discovered a strain of the Kovter trojan that has been updating  Flash Player and Internet Explorer to prevent further infections.

The French security expert Kafeine have discovered a new strain of the Kovter malware noticing that the instance of the malicious code he was analyzing was attempting to download the latest version of the Flash Player.

Kovter 1Kovter 1

The Kovter malware is used in Ad fraud campaigns, victims were infected by simply clicking on online advertisements and generate revenue for the websites that host the ads.

Flash Player was recently updated by Adobe in order to fix the critical vulnerability (CVE-2015-3113) that had been exploited by threat actors in targeted attacks. Kafeine reported that another exploit kit, the popular Magnitude, was integrated with the code to exploit the flaw in the Flash Player. Several exploit kits including Angler, Neutrino, RIG and Nuclear Pack have later integrated the exploit code for the same vulnerability.

Kafeine noticed a singular behavior for the new strain of the Kovter malware he tested, the malicious code, in fact, was trying to update Flash Player to the latest version 18.0.0.194. It is likely that threat actors patch the infected machine to prevent additional infections through other threat agents.

“Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously – we want to keep them exploitable and also avoid behavioural/network noise).” wrote Kafeine in a blog post. “The goal is most probably to close the door of the system to additional infection via DriveBy.”

The Kovter malware does much more, it also updates the Internet Explorer browser to the latest version patching two flaws, the CVE-2013-2551 and CVE-2014-6332, exploited by a number of threat actors.

The behavior is not new, in the past security researchers observed other malicious code patching infected systems to close the door to further infection. Kafeine explained that the Betabot Trojan operates in a similar way to prevent future infections via exploit kits. The expert is surprised by the rapidity into patching the issue on the machine infected by the Kovter.

“An exploit get its way to almost all exploit kits in a matter of days, and owners of a big adfraud botnet decide to fix the issue on their ‘fleet’ almost as fast. I find this fast action/reaction interesting,” said Kafeine.

Kafeine reported that Kovter is also being served by the principal exploit kits in the wild, including the Angler EK, the Nuclear Pack, and Neutrino EK.

[adrotate banner=”9″] [adrotate banner=”12″]

(Security Affairs – Kovter, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…

36 minutes ago

New Signal update stops Windows from capturing user chats

Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…

8 hours ago

Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…

13 hours ago

Russia-linked APT28 targets western logistics entities and technology firms

CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…

16 hours ago

A cyberattack was responsible for the week-long outage affecting Cellcom wireless network

Cellcom, a regional wireless carrier based in Wisconsin (US), announced that a cyberattack is the…

1 day ago

Coinbase data breach impacted 69,461 individuals

Cryptocurrency exchange Coinbase announced that the recent data breach exposed data belonging to 69,461 individuals.…

1 day ago