2017-05-04 - DECIMAL IP CAMPAIGN USES FAKE ADOBE FLASH PLAYER SITE TO SEND SMOKE LOADER

ASSOCIATED FILES:

• Zip archive of the email and malware:  2017-05-04-fake-Adobe-Flash-player-site-sends-Smoke-Loader-pcaps.zip   715 kB (715,092 bytes)

• 2017-04-25-Smoke-Loader-post-infection-traffic.pcap   (330,328 bytes)
• 2017-05-04-fake-Adobe-Flash-player-site.pcap   (1,066,302 bytes)

• Zip archive of the malware:  2017-05-04-flashplayer24pp_id_install.exe.zip   51 kB (50,973 bytes)

• flashplayer24pp_id_install.exe   (148,992 bytes)

NOTES:

• Saw a fake Adobe Flash site send Smoke Loader (disguised as a Flash Player installer) on 2017-05-04, but the sample was already submitted to VirusTotal on 2017-04-25.
• URLs associated with the Decimal IP campaign (Malwarebytes link) had been leading to Rig EK, but are now redirecting to a fake Flash Player installer page.
• It seems to be the same Smoke Loader this campaign using Rig EK to send last week.

Shown above:  Using the Decimal IP url from Zerophage blog post about the Decimal IP campaign.

 

TRAFFIC

Shown above:  Traffic from the fake Flash Player site filtered in Wireshark.

 

FAKE ADOBE FLASH PLAYER SITE AND DOWNLOAD URL FOR SMOKELOADER ON 2017-05-04:

• 162.220.246.254 port 80 - 162.220.246.254 - GET /
• 162.220.246.254 port 80 - 162.220.246.254 - GET /flashplayer24pp_id_install.exe?dl=1

 

POST-INFECTION TRAFFIC FROM SAME SMOKELOADER SAMPLE ON 2017-04-25:

• www.bing.com - GET /
• support.microsoft.com - POST /kb/2600211
• go.microsoft.com - POST /fwlink/?LinkId=120337
• www.microsoft.com - GET /
• www.adobe.com - POST /
• msdn.microsoft.com - GET /vstudio
• 195.154.72.149 port 80 - aoids03wkde38.us - POST /

 

FILE HASHES

FAKE FLASH PLAYER INSTALLER (SMOKE LOADER):

• SHA256 hash:  b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7
  File name:  flashplayer24pp_id_install   or   flashplayer24pp_id_install.exe
  File size:  148,992 bytes

Shown above:  Smoke Loader sample from 2017-05-04 was around as early as 2017-04-25.

 

IMAGES

Shown above:  Post-infection traffic caused by the Smoke Loader sample from a pcap dated 2017-04-25.

 

Shown above:  Some alerts on both pcaps from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the email and malware:  2017-05-04-fake-Adobe-Flash-player-site-sends-Smoke-Loader-pcaps.zip   715 kB (715,092 bytes)
• Zip archive of the malware:  2017-05-04-flashplayer24pp_id_install.exe.zip   51 kB (50,973 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.