Fake Flash Update delivers Tor Bot and more

NOTES:

  • Today after being redirected by a compromised site, I captured traffic from a fake Flash update. This did not exploit Flash. I thought it interesting because a similar infection was delivered yesterday by the Rig Exploit Kit via the EiTest campaign.
  • Yesterdays Exploit Kit infection at malware-traffic-analysis.net .
  • The malicious payload is hosted on dropbox.com.
  • Emerging Threats Rule Set alerts to a possible Qadars CnC communication.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-09-01-Flash-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.25.95.39 – 4lmbkpqrklqv.net – REDIRECT GATE
  • 69.64.36.212 – adobe-secur-update.com – PHISHING SITE
  • 45.58.74.165 – dl.dropboxusercontent.com [dropbox.com]MALICIOUS PAYLOAD
  • 176.189.232.3 – j8le7s5q745e.org – POSSIBLE Qadars CnC
  • 62.75.207.97 – konektyfor.com – POSSIBLE Qadars CnC

 

DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with initial infection prior to executing fake Flash update file

 

Shown above: Phishing website displaying fake Flash update

 

Shown above: Script found on index page of compromised site redirecting jstats.php.

 

Shown above: Script found on compromised site redirecting to malicious redirect gate.

 

Shown above: Script found on malicious gate redirecting to phishing website

 

Shown above: Script found on phishing page directing to www.dropbox.com where malicious payload is hosted

 

Shown above: DNS traffic associated with infection

 

Shown above: Some alerts generated by Emerging Threats Rule Set

 

MALICIOUS PAYLOADS:

  • 2016-09-01-flashplayer22_me_install.exe
    Hybrid-Analysis Link
  • 2016-09-01-ierkmffjq.NgEWVi¬† – [154 MB]
    C:\Users\%UserName%\AppData\Roaming\{523B4DE4-24B0-9C76-A8C6-2FD51DC6F052}
    SHA256: 2ADF560B123803FDDF836697AEFE452F18079779DFF3242CED4ABBCD71FC38B5