Fake Flash update from phishing site delivers Qadars banking malware

NOTES:

  • Today after being redirected by a compromised site, I captured traffic from a fake Flash update. This did not exploit Flash.
  • The malicious payload is hosted on dropbox.com.
  • The infection also included Tor traffic and the delivery of a second malicious payload. However the file size was 184 MB and to large to include in the pcap or upload to Virus Total. I included the file hash at the bottom of the blog post.
  • UPDATE – Secondary payload has been added to Virus Total. Thanks to @JAMESWT_MHT for his help.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-11-1-Fake-Flash-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • dateyou.me – COMPROMISED SITE
  • dateyou.me GET /media/system/js/statc40.php – INJECTED REDIRECT SCRIPT
  • 185.93.187.116 – profixsysline.net – REDIRECT GATE
  • 185.93.187.109 – adobe-flash-player.org – PHISHING LANDING PAGE
  • 108.160.172.238 Port 443 – dropbox.com – MALICIOUS DOWNLOAD
  • 199.47.217.101 Port 443 – dl.dropboxusercontent.com – MALICIOUS DOWNLOAD
    – https://www.dropbox.com/s/zyzxxje6c903ce9/update_flashplayer_vc18.exe?dl=1
  • 50.191.84.32 Port 443 – igyo6saomki0.net – QADARS POST INFECT TRAFFIC
  • 62.75.207.97 Port 443 – prolinesti.net – QADARS POST INFECT TRAFFIC

ASSOCIATED DNS QUERIES:

  • 42kmc2wqsaci.top
  • 62CF0FDD86CB3EC25F76D8B83400E6F8.igyo6saomki0.net
  • 62cf0fdd86cb3ec25f76d8b83400e6f8.prolinesti.net
  • angela127.com
  • liveskansys.com

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the fake flash update and phishing page which led to the delivery of Qadars banking malware

 

Shown above: Injected script found on compromised site redirecting to the profixsysline.net gate

 

Shown above: Script found on redirect gate redirecting the the Flash phishing page

 

Shown above: Script found of fake Flash phishing page directing to malicious payload hosted on DropBox.com

 

Shown above: It must be true. I must be running an outdated version of Flash so I clicked run to download and execute malicious file

 

Shown above: DNS network traffic associated with infection chain

 

MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH INFECTION:

  • 2016-11-1-update_flashplayer_vc18.exe
    Virus Total Link
  • 2016-11-1-elynxyttb.exe [184 MB]
    Virus Total Link
    SHA256:
    0eee602b47ebfd2d7e81a37ad44a0a925b5fdda24e53535cabff39da0112fbf2