Fake Flash update leads to NetSupport RAT

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-02-27-Fake-Flash-NetSupport-RAT-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • plastibond.com – COMPROMISED SITE
  • 23.152.0.118 – track.amishbrand.com – WILL NOT INFECT IF DOMAIN IS BLOCKED
  • 84.200.17.21 – scene.timbervalleyfarm.com – DOMAIN HOSTING FAKE FLASH
  • DROPBOX – JAVASCRIPT TO DOWNLOAD NETSUPPORT MANAGER RAT
  • 185.243.112.38 – pn.dr906090.com POST /index.aspx – POST INFECT TRAFFIC
  • SCREENCAST GET /users/seg.net90/folders/serg_90_09022018/media/339d4871-0ad4-41bf-86ab-17fb5364e24e/desktop.ini.lnk?downloadOnly=true –  DOMAIN HOSTING NETSUPPORT MANAGER RAT INSTALLER
  • 179.43.186.90 – POST http://179.43.186.90/fakeurl.htm – NETSUPPORT MANAGER RAT C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: DNS traffic associated with Fake Flash Player update and NetSupport  Manager RAT

 

Shown above: Script for domain hosting fake flash content

 

Shown above: Fake Flash Player pop-up which leads to NetSupport Manager RAT

 

Shown above: Fake Chrome update when visiting compromised site using Chrome browser

 

Shown above: NetSupport RAT installer hosted on screencast

 

MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH UPDATE:

  • update.js – JavaScript to download NetSupport Manager RAT
    VirusTotal Link
  • z7a.exe – NetSupport Manager RAT Installer
    VirusTotal Link
  • client32.exe – NetSupport Manager Client
    C:\Users\USERNAME\AppData\Roaming\ManifestStore
    VirusTotal Link