2014-04-13 - FAKE FLASH UPDATER HOSTED ON GOOGLE DRIVE

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-13-fake-Flash-updater-traffic.pcap.zip
• ZIP of the malware:  2014-06-13-fake-Flash-updater-malware.zip

NOTES:

• Tried getting Bleeding Life EK traffic based on this article: http://vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html
• Didn't have any luck using the original referers listed in that blog entry; however, one of them gave me a fake Flash updater.

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

• 2014-04-24 - fake Flash update from 217.26.210.127 (www.wizardcomputers.rs) points to malware on Microsoft OneDrive IP
• 2014-04-28 - fake Flash updater hosted on Microsoft OneDrive IP addresses
• 2014-04-29 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-03 - Another fake Flash updater hosted on Microsoft OneDrive
• 2014-05-11 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-14 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-17 - fake Flash updater hosted on 23.91.112.4 - preud-homme.be
• 2014-05-19 - fake Flash updater hosted on dl.dropboxusercontent.com
• 2014-06-13 - fake Flash updater hosted on Google Drive

 

TODAY'S TRAFFIC EXAMPLE

compromised website --> fake Flash updater notice --> site hosting the malware
www.westernbeef.com --> rollen.ru --> drive.google.com

• 02:00:31 UTC - 172.16.165.136:49816 - 198.173.99.8:80 - www.westernbeef.com - GET /
• 02:00:32 UTC - 172.16.165.136:49816 - 198.173.99.8:80 - www.westernbeef.com - GET /highslide/highslide.css
• 02:00:32 UTC - 172.16.165.136:49816 - 198.173.99.8:80 - www.westernbeef.com - GET /js/stmenu.js
• 02:00:33 UTC - 172.16.165.136:49822 - 195.208.0.141:80 - rollen.ru - GET /flash/cs/img.php
• 02:00:34 UTC - 172.16.165.136:49816 - 198.173.99.8:80 - www.westernbeef.com - GET /images/wblong3.jpg
• 02:00:36 UTC - 172.16.165.136:49816 - 198.173.99.8:80 - www.westernbeef.com - GET /images/frontgrocerystyle1.jpg
• 02:00:36 UTC - 172.16.165.136:49822 - 195.208.0.141:80 - rollen.ru - GET /flash/cs/adb.php?html=2
• 02:00:37 UTC - 172.16.165.136:49822 - 195.208.0.141:80 - rollen.ru - GET /flash/cs/checker.php
• 02:00:43 UTC - 172.16.165.136:49828 - 74.125.225.69:443 - HTTPS traffic to drive.google.com
• 02:00:44 UTC - 172.16.165.136:49829 - 74.125.225.76:443 - HTTPS traffic to doc-04-3c-docs.googleusercontent.com
• 02:00:52 UTC - 172.16.165.136:49822 - 195.208.0.141:80 - rollen.ru - GET /flash/cs/checker.php

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER

File name:  InstallerFlash.exe
File size:  116.8 KB ( 119592 bytes )
MD5 hash:  c112023f2508c63911eafe089cbb621a
Detection ratio:  32 / 54
First submission:  2014-06-12 17:47:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ab6b8fb81464fa97b0755f0d131467483bff74c3a3f5aee76d7b083d4b17fb21/analysis/
Malwr link:  https://malwr.com/analysis/ZWExYmNlMDJmMjU4NGI2ZmE2NjJhYTJkNjVlYzQzZmM/

NOTE: The sandbox malware did not execute properly, but gave a popup Window with a Run-time error shown below:

This also happened on a physical Windows 7 machine, and VMs running both Windows 7 and Windows XP.

 

SNORT EVENTS

No Snort events were noted for this traffic.

 

SCREENSHOTS FROM THE TRAFFIC

From the compromised website to the fake Flash updater notification:

 

Link from the fake Flash updater notification to the malware on Google Drive:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-06-13-fake-Flash-updater-traffic.pcap.zip
• ZIP of the malware:  2014-06-13-fake-Flash-updater-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.