Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to keep them exploitable and also avoid behavioural/network noise).
Looking a little more carefully, i understood that this was in fact Kovter tied activity.
 |
| Screenshot of Cuckoo Behavioural tab Process Tree - DllHost has been injected by Kovter |
And when this Flash updating started ? In my systems the 2015-06-29 it seems.
 |
| Screenshot of a search in Moloch Pcap Indexer |
Note : This ( closing to others the door used to get inside ) is not a new idea/concept at all.
 |
| Betabot - Option to "protect from future infection via Exploit Kits" 2014-07 |
----
I asked help for the reverse part.
So I have been confirmed it was Kovter activity. The config (see : http://pastebin.com/NjZtv8GR ) includes those Flash update calls.
Kovter seems to have evolved a lot lately. Version 2.0.3.5 right now.
The big list of IPs might be a peer node list (P2P inside?)
----
PS: since Kovter is now distributed in Affiliate mode, it can be dropped in almost any vector, so any kind of Exploit Kit. Here it was Fiesta:
 |
| Kovter dropped by Fiesta - 2015-07-02 Updating Flash Player :) |
 |
| Malvertising chain to Kovter via Angler EK 2015-07-02 |
 |
| Nuclear Pack dropping Kovter and Tinba /in0odrfqwbio0sa/ 2015-04-26 |
 |
| Neutrino dropping Kovter 2015-06-03 |
or as a task in botnet (Example : this smokeloader [updopeserver .eu] or in some bedep (id:6001) instances )
Files: Kovter_2015-07-02.zip
Thanks :
Mieke Verburgh (Malwarebytes) and Horgh for help.
For the tools : Moloch, Cuckoo, Brad Spengler from Accuvant and Will Metcalf from Emerging Threats
Read More :
Kovter: Ad Fraud Trojan - 2015-01-16 - Cyphort Labs