2014-05-17 - FAKE FLASH UPDATER HOSTED ON 23.91.112.4 - PREUD-HOMME.BE

ASSOCIATED FILES:

• ZIP of the PCAPs:  2014-05-17-fake-Flash-updater-pcaps.zip
• ZIP of the malware:  2014-05-17-fake-Flash-updater-malware.zip

NOTES:

• I first noticed this fake Flash updater reported in January 2014 on news.softpedia.com (link).
• Since 2014-04-24, I started documenting whenenever I ran into this fake Flash updater traffic on Microsoft OneDrive.
• Today is the first time since 2014-04-24 I've noticed the malware hosted on a non-Microsoft IP address.

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

• 2014-04-24 - fake Flash update from 217.26.210.127 (www.wizardcomputers.rs) points to malware on Microsoft OneDrive IP
• 2014-04-28 - fake Flash updater hosted on Microsoft OneDrive IP addresses
• 2014-04-29 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-03 - Another fake Flash updater hosted on Microsoft OneDrive
• 2014-05-11 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-14 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-17 - fake Flash updater hosted on 23.91.112.4 - preud-homme.be

 

TODAY'S TRAFFIC EXAMPLES

compromised website --> fake Flash updater notice --> site hosting the malware
www.arendator-nk.ru --> modernmarblebh.net --> preud-homme.be

• 06:23:46 UTC - 89.111.176.29 - www.arendator-nk.ru - GET /
• 06:23:51 UTC - 173.230.242.18 - modernmarblebh.net - GET /bzGnhfJc.php?id=6195573
• 06:24:10 UTC - 173.230.242.18 - modernmarblebh.net - GET /bzGnhfJc.php?html=27
• 06:24:13 UTC - 173.230.242.18 - modernmarblebh.net - GET /checker.php   [repeats several times]
• 06:24:24 UTC - 23.91.112.4 - preud-homme.be - GET /FlashUpdater.exe

 

compromised website --> fake Flash updater notice --> site hosting the malware
www.zurklanenpfleger.at --> elpadrinopizza.cl --> preud-homme.be

• 06:35:37 UTC - 81.19.145.34 - www.zurklanenpfleger.at - GET /gutschein.html
• 06:35:39 UTC - 190.96.85.51 - elpadrinopizza.cl - GET /xr89k7zr.php?id=53460837
• 06:35:50 UTC - 190.96.85.51 - elpadrinopizza.cl - GET /xr89k7zr.php?html=27
• 06:35:54 UTC - 190.96.85.51 - elpadrinopizza.cl - GET /checker.php   [repeats several times]
• 06:36:02 UTC - 23.91.112.4 - preud-homme.be - GET /FlashUpdater.exe

 

TRAFFIC FROM SANDBOX ANALYSIS OF FAKE FLASH UPDATER

• 193.105.210.32 - domaintomakeit.com - POST /unecheitd/8732593/index.php
• 216.151.164.53 - arkinsoftware.in - GET /images/inexsabit.exe
• 216.151.164.53 - arkinsoftware.in - GET /images/aveksynkens.exe
• 216.151.164.53 - arkinsoftware.in - GET /images/tobnenuko.exe
• 216.151.164.53 - arkinsoftware.in - GET /images/nukotobne.exe
• 79.142.66.240 - report.k7yws7ei1793qg9i.com - GET /?93wS931=%96%98%D2[long string of characters, repeats with different strings]
• 5.149.248.153 - report.k7yws7ei1793qg9i.com - POST /

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER

File name:  FlashUpdater.exe
File size:  182.8 KB ( 187224 bytes )
MD5 hash:  c3b3985c1991782b6c868d56f7d282fc
Detection ratio:  10 / 49
First submission:  2014-05-16 10:59:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/14ae5f1d9b7ab6a18755cf1e1b4cce43eac57e299ac5b69b7780d636232f349b/analysis/
Malwr link:  https://malwr.com/analysis/NzNlZDVjYjU0OGQ4NDE1ZjgzYTFkN2MyZjM2NmUxYWY/

 

SNORT EVENTS

NOTES:

• These are the Snort events taken from Security Onion.
• The pre-infection traffic only triggered an event for a malicious 8x8 script tag redirect from the compromised website.
• For the post-infection events, I used tcpreplay to run the PCAP from malwr.com's sandbox analysis through Security Onion and see what events triggered.
• I've left out the ET INFO and ET POLICY events--most organizations filter those out due to the large number of events from non-malicious traffic.

 

Pre-infection events:

• ET CURRENT_EVENTS Malicious Redirect 8x8 script tag (sid:2018053)

Post-infection events triggered from the Sourcefire VRT signature set:

• 192.168.56.102:1035 - 193.105.210.32:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)
• 192.168.56.102:1036 - 216.151.164.53:80 - MALWARE-CNC Win.Trojan.Zeus variant outbound connection (sid:27918)
• 192.168.56.102:1070 - 5.149.255.138:53 - MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (sid:28996)

Post-infection events triggered from the Emergint Threats signature set:

• 192.168.56.102:1035 - 193.105.210.32:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
• 192.168.56.102:1036 - 216.151.164.53:80 - ET TROJAN Possible Graftor EXE Download Common Header Order (sid:2018254)
• 192.168.56.102:1045 - 79.142.66.240:80 - ET TROJAN Simda.C Checkin (sid:2016300)

 

HIGHLIGHTS FROM THE TRAFFIC

Here's a path from the compromised website to the malware download:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPs:  2014-05-17-fake-Flash-updater-pcaps.zip
• ZIP of the malware:  2014-05-17-fake-Flash-updater-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.