Fake Flash Update delivers Tor Bot and more
NOTES:
- Today after being redirected by a compromised site, I captured traffic from a fake Flash update. This did not exploit Flash. I thought it interesting because a similar infection was delivered yesterday by the Rig Exploit Kit via the EiTest campaign.
- Yesterdays Exploit Kit infection at malware-traffic-analysis.net .
- The malicious payload is hosted on dropbox.com.
- Emerging Threats Rule Set alerts to a possible Qadars CnC communication.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-09-01-Flash-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 85.25.95.39 – 4lmbkpqrklqv.net – REDIRECT GATE
- 69.64.36.212 – adobe-secur-update.com – PHISHING SITE
- 45.58.74.165 – dl.dropboxusercontent.com [dropbox.com] – MALICIOUS PAYLOAD
- 176.189.232.3 – j8le7s5q745e.org – POSSIBLE Qadars CnC
- 62.75.207.97 – konektyfor.com – POSSIBLE Qadars CnC
DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with initial infection prior to executing fake Flash update file
Shown above: Phishing website displaying fake Flash update
Shown above: Script found on index page of compromised site redirecting jstats.php.
Shown above: Script found on compromised site redirecting to malicious redirect gate.
Shown above: Script found on malicious gate redirecting to phishing website
Shown above: Script found on phishing page directing to www.dropbox.com where malicious payload is hosted
Shown above: DNS traffic associated with infection
Shown above: Some alerts generated by Emerging Threats Rule Set
MALICIOUS PAYLOADS:
- 2016-09-01-flashplayer22_me_install.exe
Hybrid-Analysis Link - 2016-09-01-ierkmffjq.NgEWVi – [154 MB]
C:\Users\%UserName%\AppData\Roaming\{523B4DE4-24B0-9C76-A8C6-2FD51DC6F052}
SHA256: 2ADF560B123803FDDF836697AEFE452F18079779DFF3242CED4ABBCD71FC38B5