2014-04-28 - FAKE FLASH UPDATER HOSTED ON MICROSOFT ONEDRIVE IP ADDRESSES

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-28-fake-flash-updater-all-pcaps.zip
• ZIP file of the malware:  2014-04-28-fake-flash-updater-malware.zip

 

MICROSOFT ONEDIRVE IP ADDRESSES HOSTING THE MALWARE:

• 134.170.104.216 - xmdrlq.dm2302.livefilestore.com
• 134.170.109.224 - xmdrlq.dm2304.livefilestore.com
• 134.170.109.96 - xmdrlq.dm1.livefilestore.com
• 134.170.104.160 - xmdrlq.dm2301.livefilestore.com

 

NOTES:

• Lately while searching for exploit traffic, I've noticed more of these fake Flash updater pop-ups, so I'm posting more information about them.
• The malware appears to change on a daily basis--maybe more frequently.
• As I've stated before, these fake Flash updates are part of a campaign noted as early as January 2014 in this article.
• If anyone has more information about this particular campaign, please let me know, and I'll include that info with my next post (I'm sure I'll find more of this stuff).

 

TODAY'S EXAMPLES

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.rabig.com.tr --> ab000302.ferozo.com --> xmdrlq.dm2302.livefilestore.com

• 00:44:08 UTC - 192.168.204.229:49266 - 89.19.30.135:80 - www.rabig.com.tr - GET /
• 00:44:09 UTC - 192.168.204.229:49269 - 200.58.112.67:80 - ab000302.ferozo.com - GET /3Q8YBpvd.php?id=3316631
• 00:44:12 UTC - 192.168.204.229:49269 - 200.58.112.67:80 - ab000302.ferozo.com - GET /3Q8YBpvd.php?html=27
• 00:44:14 UTC - 192.168.204.229:49269 - 200.58.112.67:80 - ab000302.ferozo.com - GET /checker.php
• 00:44:21 UTC - 192.168.204.229:49270 - 134.170.104.216:443 - xmdrlq.dm2302.livefilestore.com
• 00:44:21 UTC - 192.168.204.229:49271 - 134.170.104.216:443 - xmdrlq.dm2302.livefilestore.com
• 00:44:29 UTC - 192.168.204.229:49269 - 200.58.112.67:80 - ab000302.ferozo.com - GET /checker.php

HTTPS link from fake Flash updater notice:

• xmdrlq.dm2302.livefilestore.com - GET /y2m6sFuBjRyTFpp_um4knm632P5m2rSKVYNr3QJPSU1nybrLIC210kJ3OTfsMU8Z7fz7RPQRecoWAONXJr_bQJxxEgXYHC-KdY8
  BBuUWMMijic/FlashUpdater.exe

 

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.comersid.ro --> ajmfashions.ne --> xmdrlq.dm2304.livefilestore.com

• 01:19:45 UTC - 192.168.204.229:49659 - 92.114.111.13:80 - www.comersid.ro - GET /
• 01:19:47 UTC - 192.168.204.229:49667 - 50.62.216.1:80 - ajmfashions.net - GET /wp-admin/XpFcGg6B.php?id=14939481
• 01:19:49 UTC - 192.168.204.229:49667 - 50.62.216.1:80 - ajmfashions.net - GET /wp-admin/XpFcGg6B.php?html=27
• 01:20:04 UTC - 192.168.204.229:49670 - 50.62.216.1:80 - ajmfashions.net - GET /wp-admin/checker.php
• 01:20:18 UTC - 192.168.204.229:49672 - 134.170.109.224:443 - xmdrlq.dm2304.livefilestore.com
• 01:20:18 UTC - 192.168.204.229:49673 - 134.170.109.224:443 - xmdrlq.dm2304.livefilestore.com
• 01:20:19 UTC - 192.168.204.229:49671 - 50.62.216.1:80 - ajmfashions.net - GET /wp-admin/checker.php

HTTPS link from fake Flash updater notice:

• xmdrlq.dm2304.livefilestore.com - GET /y2mdZiuy9LipkTt3wso9X9969a7Tug98iEG7z_LdLfbnrNYQSk2M6YbzzwUex_RnwO0iqs9-5VYJRnAFmb0X7NDBoe9bvQDA7LTI7q
  OtQiKmfA/FlashUpdater.exe

 

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.landestrachtenverband.at --> www.gala.mx --> xmdrlq.dm1.livefilestore.com

• 01:57:33 UTC - 192.168.204.229:50177 - 83.169.32.241:80 - www.landestrachtenverband.at - GET /
• 01:57:33 UTC - 192.168.204.229:50178 - 83.169.32.241:80 - www.landestrachtenverband.at - GET /js/prototype.js
• 01:57:33 UTC - 192.168.204.229:50179 - 83.169.32.241:80 - www.landestrachtenverband.at - GET /js/scriptaculous.js?load=effects
• 01:57:33 UTC - 192.168.204.229:50180 - 83.169.32.241:80 - www.landestrachtenverband.at - GET /js/lightbox.js
• 01:57:34 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /wR6xBPtZ.php?id=11227052
• 01:57:35 UTC - 192.168.204.229:50177 - 83.169.32.241:80 - www.landestrachtenverband.at - GET /js/effects.js
• 01:57:35 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /wR6xBPtZ.php?id=11227049
• 01:57:36 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /wR6xBPtZ.php?id=11227053
• 01:57:36 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /wR6xBPtZ.php?id=11227051
• 01:57:37 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /wR6xBPtZ.php?html=27
• 01:57:38 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /checker.php
• 01:57:41 UTC - 192.168.204.229:50185 - 134.170.109.96:443 - xmdrlq.dm1.livefilestore.com
• 01:57:41 UTC - 192.168.204.229:50186 - 134.170.109.96:443 - xmdrlq.dm1.livefilestore.com
• 01:57:53 UTC - 192.168.204.229:50183 - 171.25.168.120:80 - www.gala.mx - GET /checker.php

HTTPS link from fake Flash updater notice:

• xmdrlq.dm1.livefilestore.com - GET /y2mZ5R3NCpDyBRgrCmaP9R3xACI6G9fhx8Fu4_JSlQkTvEgh2XVsJe3zA2nK6uSvmV8IjZRhCQM9EYw4XlNKpS3sC2r5SLsXEp6cUl6x
  ltf6ZQ/FlashUpdater.exe

 

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.vendre-voiture-export.be --> www.spid.it --> xmdrlq.dm2301.livefilestore.com

• 02:15:49 UTC - 192.168.204.229:50220 - 109.237.140.12:80 - www.vendre-voiture-export.be - GET /
• 02:15:52 UTC - 192.168.204.229:50237 - 109.237.140.12:80 - www.vendre-voiture-export.be - GET /vendor/[various names].js
• 02:15:53 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065716
• 02:15:53 UTC - 192.168.204.229:50253 - 109.237.140.12:80 - www.vendre-voiture-export.be - GET /vendor/[various names].js
• 02:15:54 UTC - 192.168.204.229:50259 - 109.237.140.12:80 - www.vendre-voiture-export.be - GET /js/[various names].js
• 02:15:54 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065710
• 02:15:54 UTC - 192.168.204.229:50260 - 109.237.140.12:80 - www.vendre-voiture-export.be - GET /js/[various names].js
• 02:15:55 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065709
• 02:15:55 UTC - 192.168.204.229:50279 - 109.237.140.12:80 - www.vendre-voiture-export.be - GET /js/[various names].js
• 02:15:55 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065708
• 02:15:56 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065718
• 02:15:57 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065734
• 02:15:57 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065730
• 02:15:58 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065732
• 02:15:58 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065726
• 02:15:59 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065719
• 02:16:00 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065715
• 02:16:01 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065704
• 02:16:02 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065707
• 02:16:02 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065694
• 02:16:03 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065696
• 02:16:04 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065693
• 02:16:04 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065698
• 02:16:05 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065700
• 02:16:05 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065701
• 02:16:06 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065702
• 02:16:07 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065699
• 02:16:07 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065697
• 02:16:08 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?id=15065703
• 02:16:10 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/Brfc9DkH.php?html=27
• 02:16:19 UTC - 192.168.204.229:50305 - 134.170.104.160:443 - xmdrlq.dm2301.livefilestore.com
• 02:16:19 UTC - 192.168.204.229:50306 - 134.170.104.160:443 - xmdrlq.dm2301.livefilestore.com
• 02:16:11 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/checker.php
• 02:16:26 UTC - 192.168.204.229:50255 - 195.149.221.120:80 - www.spid.it - GET /images/checker.php

HTTPS link from fake Flash updater notice:

• xmdrlq.dm2301.livefilestore.com - GET /y2mltWLVrNb53-3iLFl38VhDmx4wauHN4ChHWzSmk3-63RsXLihJQGVM4LiEa-jFyYv4j9hJc86hiTvLjFyNV0QHDUx19MC9g7S23fQ
  D6QEKHU/FlashUpdater.exe

 

PRELIMINARY MALWARE ANALYSIS

File name:  FlashUpdater.exe
File size:  159.0 KB ( 162816 bytes )
MD5 hash:  8cf348c51fa48116df89009b1886f9eb
Detection ratio:  3 / 51
First submission:  2014-04-28 00:52:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d3adf9d07df2813839698c8a777394fe5262c9c575a2a7e82d2f15c132e221e4/analysis/

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-28-fake-flash-updater-all-pcaps.zip
• ZIP file of the malware:  2014-04-28-fake-flash-updater-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.