Fake Flash Player update delivers Net Support RAT

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-12-20-Fake-Flash-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • lexarhomes.com – COMPROMISED SITE
  • 82.211.30.208 – xdns.oxygenok.com – FAKE FLASH PLAYER UPDATE
  • dropbox[.]com – JAVASCRIPT DOWNLOADS NETSUPPORT RAT
  • 185.166.239.38 – pn.dr906090.com – NETSUPPORT MANAGER RAT DOWNLOAD
  • 5.188.231.175 – POST http://5.188.231.175/fakeurl.htm – NETSUPPORT MANAGER RAT C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with Fake Flash Player update and NetSupport  Manager RAT

 

Shown above: Fake Flash Player pop-up which leads to NetSupport Manager RAT