2019-06-28 - QUICK POST: FAKE UPDATES CAMPAIGN SENDS CHTHONIC
- Traffic: 2019-06-28-fake-updates-campaign-sends-Chthonic.pcap.zip 7.7 MB (7,672,769 bytes)
- Malware/artifacts: 2019-06-28-fake-updates-campaign-malware-and-artifacts.zip 449 kB (449,165 bytes)
- I'm seeing the same type of traffic I did during my last blog about this on 2019-04-05.
- A base64 string representing the malicious .js file or zip containing the .js file is returned from the initial URL for the fake Firefox/Flash/Google Chrome/ update page.
- No more abusing Dropbox like I'd documented back in February 2019.
- Zip archives are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Shown above: Fake Firefox update page with link to malicious download.
Shown above: Some URLs for the fake Firefox update page.
Shown above: The index (initial) page for the fake Firefox update.
Shown above: Base64 string in the fake update index page represents a malicious zip file.
Shown above: Name for the malicious zip file and other related script information.
Shown above: The zip archive was automatically sent, even when I didn't press the green update button.
Shown above: The malicious zip file and extracted .js file.
Shown above: Traffic from running the .js file followed by Chthonic post-infection traffic. Two reboots were noted during this infection.
Each line with www.msftncsi.com indicates where my infected Windows host rebooted.
Shown above: HTTP POST request that sent a screen shot of my infected Windows host.
Click here to return to the main page.