2015-07-03 - Behavioural

Kovter AdFraud is updating Flash Player (and Internet Explorer)

Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to keep them exploitable and also avoid behavioural/network noise).

Looking a little more carefully, i understood that this was in fact Kovter tied activity.

Screenshot of Cuckoo Behavioural tab
Process Tree - DllHost has been injected by Kovter

And when this Flash updating started ? In my systems the 2015-06-29 it seems.

Screenshot of a search in Moloch Pcap Indexer
The goal is most probably to close the door of the system to additional infection via DriveBy.

[Edit 2015-07-03] Sentrant contacted me and has another idea about those flash player updates that makes a lot of sense :
"Like most modern ad-fraud malware the developers have built Kovter to maximize the return on their ad-fraud. Currently video ads are worth considerably more than simple impression ads so in an attempt to "cash-in" on video ads the developers have added functionality to Kovter that allows it to play Flash videos
Now understanding the above I believe that the installation/update of Flash is not an attempt to "close the door on future malware" but rather an attempt to ensure that Flash videos are loaded and playable on the host. Many advertising exchanges will either not serve, or decrease the bid price of flash ads (video) to hosts who are detected using a very old version of Flash. In-fact we have seen the same Flash update behaviour on almost every other ad-fraud malware families that we have analyzed.

If all you have is a hammer, everything looks like a nail.


Note : This ( closing to others the door used to get inside ) is not a new idea/concept at all.
Betabot - Option to "protect from future infection via Exploit Kits"
But the timing is interesting.

I asked help for the reverse part.
So I have been confirmed it was Kovter activity. The config (see : http://pastebin.com/raw.php?i=NjZtv8GR ) includes those Flash update calls (and updates of Internet Explorer)
Kovter seems to have evolved a lot lately. Version right now.
The big list of IPs might be a peer node list (P2P inside?)
PS: since Kovter is now distributed in Affiliate mode, it can be dropped in almost any vector, so any kind of Exploit Kit. Here it was Fiesta:

Kovter dropped by Fiesta - 2015-07-02
Updating Flash Player :)
but you'll find it dropped by  Angler :

Malvertising chain to Kovter via Angler EK
Nuclear Pack :

Nuclear Pack dropping Kovter and Tinba /in0odrfqwbio0sa/
Neutrino :

Neutrino dropping Kovter

or as a task in botnet  (Example : this smokeloader  [updopeserver .eu] or in some bedep (id:6001) instances )

[Edit : Got a pass today on the oldest infection vector to Kovter (my bet is that it's the core team traffing there or some close partners). They used to spread it with Sakura then Styx, Sweet Orange..etc
Infection chain to Angler EK dropping Kovter.
This chain has Heavy "anti-replay" filtering and
benefits from malvert traffic

Files: Kovter_2015-07-02.zip

Thanks :
Mieke Verburgh (Malwarebytes) and Horgh for help.
For the tools : Moloch, Cuckoo, Brad Spengler from Accuvant and Will Metcalf from Emerging Threats

Read More :
Kovter: Ad Fraud Trojan - 2015-01-16 - Cyphort Labs