2017-05-04 - DECIMAL IP CAMPAIGN USES FAKE ADOBE FLASH PLAYER SITE TO SEND SMOKE LOADER
ASSOCIATED FILES:
- Zip archive of the email and malware: 2017-05-04-fake-Adobe-Flash-player-site-sends-Smoke-Loader-pcaps.zip 715 kB (715,092 bytes)
- 2017-04-25-Smoke-Loader-post-infection-traffic.pcap (330,328 bytes)
- 2017-05-04-fake-Adobe-Flash-player-site.pcap (1,066,302 bytes)
- Zip archive of the malware: 2017-05-04-flashplayer24pp_id_install.exe.zip 51 kB (50,973 bytes)
- flashplayer24pp_id_install.exe (148,992 bytes)
NOTES:
- Saw a fake Adobe Flash site send Smoke Loader (disguised as a Flash Player installer) on 2017-05-04, but the sample was already submitted to VirusTotal on 2017-04-25.
- URLs associated with the Decimal IP campaign (Malwarebytes link) had been leading to Rig EK, but are now redirecting to a fake Flash Player installer page.
- It seems to be the same Smoke Loader this campaign using Rig EK to send last week.
Shown above: Using the Decimal IP url from Zerophage blog post about the Decimal IP campaign.
TRAFFIC
Shown above: Traffic from the fake Flash Player site filtered in Wireshark.
FAKE ADOBE FLASH PLAYER SITE AND DOWNLOAD URL FOR SMOKELOADER ON 2017-05-04:
- 162.220.246.254 port 80 - 162.220.246.254 - GET /
- 162.220.246.254 port 80 - 162.220.246.254 - GET /flashplayer24pp_id_install.exe?dl=1
POST-INFECTION TRAFFIC FROM SAME SMOKELOADER SAMPLE ON 2017-04-25:
- www.bing.com - GET /
- support.microsoft.com - POST /kb/2600211
- go.microsoft.com - POST /fwlink/?LinkId=120337
- www.microsoft.com - GET /
- www.adobe.com - POST /
- msdn.microsoft.com - GET /vstudio
- 195.154.72.149 port 80 - aoids03wkde38.us - POST /
FILE HASHES
FAKE FLASH PLAYER INSTALLER (SMOKE LOADER):
- SHA256 hash: b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7
File name: flashplayer24pp_id_install or flashplayer24pp_id_install.exe
File size: 148,992 bytes
Shown above: Smoke Loader sample from 2017-05-04 was around as early as 2017-04-25.
IMAGES
Shown above: Post-infection traffic caused by the Smoke Loader sample from a pcap dated 2017-04-25.
Shown above: Some alerts on both pcaps from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the email and malware: 2017-05-04-fake-Adobe-Flash-player-site-sends-Smoke-Loader-pcaps.zip 715 kB (715,092 bytes)
- Zip archive of the malware: 2017-05-04-flashplayer24pp_id_install.exe.zip 51 kB (50,973 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.