2018-03-27 - FAKE CHROME, FIREFOX, OR FLASH UPDATE PAGES PUSH JS MALWARE

ASSOCIATED FILES:

 

NOTES:


Shown above:  Flow chart for this infection chain.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

TRAFFIC


Shown above:  Traffic from fake Flash updater page on 2018-03-27.

 


Shown above:  Traffic from fake Chrome updater page on 2018-03-27.

 


Shown above:  Traffic from fake FireFox updater page on 2018-03-27.

 

2018-03-22 HTTP TRAFFIC FOR FAKE UPDATER PAGES:

2018-03-22 DROPBOX URLS FOR THE FAKE UPDATERS:

2018-03-22 TRAFFIC GENERATED BY RUNNING DOWNLOADED .JS FILES:

2018-03-27 HTTP TRAFFIC FOR FAKE UPDATER PAGES:

2018-03-27 DROPBOX URLS WITH FAKE UPDATERS:

2018-03-27 TRAFFIC GENERATED BY RUNNING DOWNLOADED .JS FILES:

 

FILE HASHES

FAKE UPDATERS FROM DROPBOX URLS ON 2018-03-22:

FAKE UPDATERS FROM DROPBOX URLS ON 2018-03-27:

 

IMAGES


Shown above:  Fake Flash player update page.

 


Shown above:  Fake Chrome update page.

 


Shown above:  Fake Firefox update page.

 


Shown above:  One of the downloaded malicious JavaScript files.

 


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.