Fake Flash update leads to NetSupport RAT

ADDITIONAL BLOG POSTS ASSOCIATED WITH THIS CAMPAIGN:

Fake Flash and Chrome updates lead to Chthonic Trojan
Fake Flash update leads to NetSupport RAT

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-03-08-Fake-Flash-Update-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • venturesafrica.com – COMPROMISED SITE
  • 23.152.0.118 – track.positiverefreshment.org – REDIRECT TO FAKE FLASH PAGE
  • 84.200.17.21 – vjro.biacap.com – DOMAIN HOSTING FAKE FLASH
  • DROPBOX – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT PAYLOAD
  • 185.243.112.38 – secur.rekomendasiforex.com POST /index.aspx – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT PAYLOAD
  • 91.243.80.120 – GET /net9/desktop.ini.lnk – NETSUPPORT RAT PAYLOAD
  • 91.243.80.120 – GET /net9/7za.exe – NETSUPPORT RAT PAYLOAD
  • 91.243.80.120 – GET /net9/LogList.rtf – NETSUPPORT RAT PAYLOAD
  • 91.243.80.120 – GET /net9/Upd.cmd – NETSUPPORT RAT PAYLOAD
  • 179.43.191.122 Port 2259 – POST http://179.43.191.122/fakeurl.htm – NETSUPPORT RAT C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the fake Flash update leading to NetSupport Manager RAT

 

Shown above: Fake Flash Player redirect which leads to NetSupport Manager RAT

 

MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH  UPDATE:

  • flashplayer_34.9.9_plugin.js – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT
    SHA-256: 25013562660774ce0d356931e1340bf5e91078473b289fbf5f4c7aaaa2182e67
    VirusTotal Link
  • Update.js – JAVASCRIPT TO DOWNLOAD NETSUPPORT RAT
    SHA-256: 159ffa7273eb9402fd91043004b39c7359bb6ca06123a3e94ef849160f8c6fec
    VirusTotal Link
  • 7za.exe – NETSUPPORT MANAGER INSTALLER
    SHA-256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
    VirusTotal Link