Fake Flash update leads to NetSupport RAT

Mar 08, 2018 by Analysis in Pcap File

ADDITIONAL BLOG POSTS ASSOCIATED WITH THIS CAMPAIGN:

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-03-08-Fake-Flash-Update-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

venturesafrica.com – COMPROMISED SITE
23.152.0.118 – track.positiverefreshment.org – REDIRECT TO FAKE FLASH PAGE
84.200.17.21 – vjro.biacap.com – DOMAIN HOSTING FAKE FLASH
DROPBOX – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT PAYLOAD
185.243.112.38 – secur.rekomendasiforex.com POST /index.aspx – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT PAYLOAD
91.243.80.120 – GET /net9/desktop.ini.lnk – NETSUPPORT RAT PAYLOAD
91.243.80.120 – GET /net9/7za.exe – NETSUPPORT RAT PAYLOAD
91.243.80.120 – GET /net9/LogList.rtf – NETSUPPORT RAT PAYLOAD
91.243.80.120 – GET /net9/Upd.cmd – NETSUPPORT RAT PAYLOAD
179.43.191.122 Port 2259 – POST http://179.43.191.122/fakeurl.htm – NETSUPPORT RAT C2

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the fake Flash update leading to NetSupport Manager RAT

Shown above: Fake Flash Player redirect which leads to NetSupport Manager RAT

MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH UPDATE:

flashplayer_34.9.9_plugin.js – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT
SHA-256: 25013562660774ce0d356931e1340bf5e91078473b289fbf5f4c7aaaa2182e67
VirusTotal Link
Update.js – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT
SHA-256: 159ffa7273eb9402fd91043004b39c7359bb6ca06123a3e94ef849160f8c6fec
VirusTotal Link
7za.exe – NETSUPPORT MANAGER INSTALLER
SHA-256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
VirusTotal Link

Tagged with: Fake Flash, Indicator's of Compromise, Malware analysis, Malware Research, NetSupport Manager RAT, New York