Fake Flash update leads to NetSupport RAT
ADDITIONAL BLOG POSTS ASSOCIATED WITH THIS CAMPAIGN:
Fake Flash and Chrome updates lead to Chthonic Trojan
Fake Flash update leads to NetSupport RAT
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2018-03-08-Fake-Flash-Update-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- venturesafrica.com – COMPROMISED SITE
- 23.152.0.118 – track.positiverefreshment.org – REDIRECT TO FAKE FLASH PAGE
- 84.200.17.21 – vjro.biacap.com – DOMAIN HOSTING FAKE FLASH
- DROPBOX – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT PAYLOAD
- 185.243.112.38 – secur.rekomendasiforex.com POST /index.aspx – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT PAYLOAD
- 91.243.80.120 – GET /net9/desktop.ini.lnk – NETSUPPORT RAT PAYLOAD
- 91.243.80.120 – GET /net9/7za.exe – NETSUPPORT RAT PAYLOAD
- 91.243.80.120 – GET /net9/LogList.rtf – NETSUPPORT RAT PAYLOAD
- 91.243.80.120 – GET /net9/Upd.cmd – NETSUPPORT RAT PAYLOAD
- 179.43.191.122 Port 2259 – POST http://179.43.191.122/fakeurl.htm – NETSUPPORT RAT C2
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the fake Flash update leading to NetSupport Manager RAT
Shown above: Fake Flash Player redirect which leads to NetSupport Manager RAT
MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH UPDATE:
- flashplayer_34.9.9_plugin.js – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT
SHA-256: 25013562660774ce0d356931e1340bf5e91078473b289fbf5f4c7aaaa2182e67
VirusTotal Link - Update.js – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT
SHA-256: 159ffa7273eb9402fd91043004b39c7359bb6ca06123a3e94ef849160f8c6fec
VirusTotal Link - 7za.exe – NETSUPPORT MANAGER INSTALLER
SHA-256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
VirusTotal Link