Fake Flash Update delivers Tor Bot and more
- Today after being redirected by a compromised site, I captured traffic from a fake Flash update. This did not exploit Flash. I thought it interesting because a similar infection was delivered yesterday by the Rig Exploit Kit via the EiTest campaign.
- Yesterdays Exploit Kit infection at malware-traffic-analysis.net .
- The malicious payload is hosted on dropbox.com.
- Emerging Threats Rule Set alerts to a possible Qadars CnC communication.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 220.127.116.11 – 4lmbkpqrklqv.net – REDIRECT GATE
- 18.104.22.168 – adobe-secur-update.com – PHISHING SITE
- 22.214.171.124 – dl.dropboxusercontent.com [dropbox.com] – MALICIOUS PAYLOAD
- 126.96.36.199 – j8le7s5q745e.org – POSSIBLE Qadars CnC
- 188.8.131.52 – konektyfor.com – POSSIBLE Qadars CnC
DETAILS OF INFECTION CHAIN:
- 2016-09-01-ierkmffjq.NgEWVi – [154 MB]