2014-04-24 - FAKE FLASH UPDATE FROM 217.26.210.127 (WWW.WIZARDCOMPUTERS.RS) POINTS TO MALWARE ON MICROSOFT ONEDRIVE IP

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-24-fake-flash-updater.pcap.zip
• ZIP file of the malware:  2014-04-24-fake-flash-updater-and-follow-up-malware.zip

NOTES:

• This is the second time I've found malware served from Microsoft's OneDrive (formerly known as SkyDrive).  I previously saw OneDrive-hosted malware on 2014-04-02 (link).
• I've notified Microsoft's Abuse Department about this OneDrive-related traffic.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 175.107.161.11 - www.truecamping.com.au - Compromised website
• 217.26.210.127 - www.wizardcomputers.rs - Pop-up window for fake Flash update
• 134.170.107.96 - 6crjjq.bl3301.livefilestore.com - Microsoft OneDrive IP hosting initial malware
• 46.244.10.229 - domainforluck.com - Post-infection callback from initial malware
• 216.151.164.53 - arkinsoftware.in - Follow-up malware downloads
• 50.46.176.128 - unuse-bubler.com - Asprox-style callback (didn't return anything)
• 74.70.132.222 - tundra-tennes.com - Asprox-style callback (returned more malware)

INFECTION CHAIN OF EVENTS

• 01:16:03 UTC - 172.16.223.131:49181 - 175.107.161.11:80 - www.truecamping.com.au - GET /
• 01:16:05 UTC - 172.16.223.131:49185 - 175.107.161.11:80 - www.truecamping.com.au - GET /js/jquery-main.js
• 01:16:06 UTC - 172.16.223.131:49181 - 175.107.161.11:80 - www.truecamping.com.au - GET /js/mainjs.js
• 01:16:08 UTC - 172.16.223.131:49187 - 217.26.210.127:80 - www.wizardcomputers.rs - GET /6FjPbcB9.php?id=1533776
• 01:16:11 UTC - 172.16.223.131:49187 - 217.26.210.127:80 - www.wizardcomputers.rs - GET /6FjPbcB9.php?id=1533797
• 01:16:16 UTC - 172.16.223.131:49187 - 217.26.210.127:80 - www.wizardcomputers.rs - GET /6FjPbcB9.php?html=27
• 01:16:21 UTC - 172.16.223.131:49187 - 217.26.210.127:80 - www.wizardcomputers.rs - GET /checker.php   [repeats throughout PCAP]
• 01:18:21 UTC - 172.16.223.131:49221 - 134.170.107.96:443 - 6crjjq.bl3301.livefilestore.com - GET
  /y2m7aguWRexJZt7ZjyjL4JtyA4Ap1qWdFzlKELvo2ETWC09AqvORlhWNe_hdTHAKpF4UCsDaCeXLKFlFDGpduSIUCAJ6WOHHzQ89ELoAAPl8pk/FlashUpdater.exe  [!]

POST-INFECTION CALLBACK TRAFFIC

• 01:19:26 UTC - 172.16.223.131:49225 - 46.244.10.229:80 - domainforluck.com - POST /oopahdei/456547/index.php HTTP/1.0
• 01:19:28 UTC - 172.16.223.131:49226 - 216.151.164.53:80 - arkinsoftware.in - GET /images/inexsabit.exe HTTP/1.0 [!]
• 01:19:31 UTC - 172.16.223.131:49227 - 216.151.164.53:80 - arkinsoftware.in - GET /images/aveksynkens.exe HTTP/1.0 [!]
• 01:19:37 UTC - 172.16.223.131:49228 - 216.151.164.53:80 - arkinsoftware.in - GET /images/tobnenuko.exe HTTP/1.0
• 01:19:38 UTC - 172.16.223.131:49229 - 216.151.164.53:80 - arkinsoftware.in - GET /images/nukotobne.exe HTTP/1.0 [!]
• 01:20:17 UTC - 172.16.223.131:49232 - 50.46.176.128:80 - unuse-bubler.com - GET /b/shoe/54607
• 01:20:29 UTC - 172.16.223.131:49234 - 74.70.132.222:80 - tundra-tennes.com - GET /script-components12.89/jquery/  [!]

NOTE: Items marked [!] returned malware

 

PRELIMINARY MALWARE ANALYSIS

INITIAL MALWARE - FAKE FLASH UPDATER

File name:  FlashUpdater.exe
File size:  118.0 KB ( 120832 bytes )
MD5 hash:  68e4b27d5e790979bccea0d8e93a5b9f
Detection ratio:  13 / 51
First submission:  2014-04-23 18:37:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d911b2072c3c67758e059012030c31b0dcb6e0248d34f365a4cf4e29b331ad9/analysis
Malwr link:  https://malwr.com/analysis/OGVkZDg1N2YwNGU4NDA3NmJhMmQyYTU3NDYxNzMxMGQ/

 

FOLLOW-UP MALWARE - 1 OF 3

File name:  2014-04-24-follow-up-malware-01.exe
File size:  108.0 KB ( 110596 bytes )
MD5 hash:  315cf0d5defe6c0327acdecae563ecfc
Detection ratio:  7 / 51
First submission:  2014-04-24 00:34:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4b7573badb96227700bc8b16574f3f4d5fa788a9d49f04655cdf909b26ac6f5b/analysis/
Malwr link:  https://malwr.com/analysis/MmVjOTkyYzYzMzY0NDk5MmFhNGFhM2JhNjIyNjI1Yjg/

 

FOLLOW-UP MALWARE - 2 OF 3

File name:  2014-04-24-follow-up-malware-02.exe
File size:  1.0 MB ( 1092608 bytes )
MD5 hash:  599d9dddd040ee1f4b38574d98ffdc78
Detection ratio:  11 / 51
First submission:  2014-04-24 06:23:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/00e6f3f97c7fe262065f7f35d95262b5267c0ce0b8f336d08d763558f40a0d86/analysis/
Malwr link:  https://malwr.com/analysis/NGEyM2Q2OTBmNDVmNDk2Mzg4MjAyYjBlNTJkMjM4N2E/

 

FOLLOW-UP MALWARE - 3 OF 3

File name:  2014-04-24-follow-up-malware-03.exe
File size:  120.0 KB ( 122880 bytes )
MD5 hash:  a0143204646ece052057a450e71f2213
Detection ratio:  5 / 51
First submission:  2014-04-24 06:24:22 UTC
VirusTotal link: 
Malwr link:  https://malwr.com/analysis/ZmY4NDBiNGM2Y2M4NGQxNWJiMDc4NjYwZGExYTkwNmI/

 

FOLLOW-UP MALWARE DELIVERED ASPROX-STYLE

File name:  UpdateFlashPlayer_5098f33b.exe
File size:  164.0 KB ( 167936 bytes )
MD5 hash:  d6a802bb37242e03142c0697160815a7
Detection ratio:  9 / 51
First submission:  2014-04-23 22:13:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee222faf4d1dea89df6d7dc8d52fc8bc0c0527e41883fb2e658e900995666e1b/analysis/
Malwr link:  https://malwr.com/analysis/ZmIwMzlkNzA3YWMzNGU2ZTgyYzAwY2VjMzk2ZWIwZjU/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-24 01:16:06 UTC - 175.107.161.11:80 - 172.16.223.131:49185 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag
• 2014-04-24 01:18:20 UTC - 134.170.107.96:443 - 172.16.223.131:49221 - ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
• 2014-04-24 01:18:20 UTC - 134.170.107.96:443 - 172.16.223.131:49221 - ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
• 2014-04-24 01:19:26 UTC - 172.16.223.131:49225 - 46.244.10.229:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
• 2014-04-24 01:19:28 UTC - 172.16.223.131:49226 - 216.151.164.53:80 - ET TROJAN Possible Graftor EXE Download Common Header Order
• 2014-04-24 01:19:28 UTC - 216.151.164.53:80 - 172.16.223.131:49226 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-24 01:19:37 UTC - 216.151.164.53:80 - 172.16.223.131:49228 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag
• 2014-04-24 01:20:30 UTC - 74.70.132.222:80 - 172.16.223.131:49234 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-24 01:20:31 UTC - 74.70.132.222:80 - 172.16.223.131:49234 - GPL SHELLCODE x86 NOOP
• 2014-04-24 01:20:30 UTC - 74.70.132.222:80 - 172.16.223.131:49234 - ET INFO EXE - Served Attached HTTP
• 2014-04-24 01:20:30 UTC - 74.70.132.222:80 - 172.16.223.131:49234 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
• 2014-04-24 01:23:01 UTC - 172.16.223.131:49166 - 173.194.46.16:80 - ET TROJAN Zeus Bot Request to CnC

 

HIGHLIGHTS FROM THE TRAFFIC

The two HTTP GET reqeusts for Javascript files from www.truecamping.com.au either returned malicious code:

 

Or had the same malicious code appended to the end of the Javascript:

 

That malicious Javascript from www.truecamping.com.au pointed to www.wizardcomputers.rs, which generated a Flash upater popup window:

 

The link to download the fake Flash updater pointed to malware hosted on a Microsoft OneDrive IP address:

 

One of the follow-up GET requests for more malware returned a 404 Not Found.  It also had javascript that generated a Snort event for a malicious 8x8 script tag:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-24-fake-flash-updater.pcap.zip
• ZIP file of the malware:  2014-04-24-fake-flash-updater-and-follow-up-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.