Thousands of Compromised Websites Leading to Fake Flash Player Update Sites. Payload is Qadars Banking Trojan.

Traffic:

traffic

Infection Chain (Run on 02/10/17):

There appears to be thousands of websites that were compromised and had been redirecting users to fake Flash Player update sites. For the most part they seem to be delivering Qadars banking malware.  I was originally tipped off to a potentially compromised site a couple weeks ago by somebody who wishes to remain anonymous (thank you!). As I was checking the site I was able to confirm that the site was compromised as it redirected me to Arpanet1957.com. Users were then redirected to a fake Flash Player update site where they are social engineered to run the malicious executable.

The compromised website that I used was a sub-domain called mail.k2-enterprises.com. Once the site loaded in the browser there was an HTTP GET request for statfc4.php. The file was located within the directory /media/system/js/.

Further examination shows the following components for mail.k2-enterprises.com:

First Seen Last Seen Category Value
6/3/2016 6:56 2/10/2017 7:50 Server Apache
6/7/2016 3:32 2/9/2017 5:50 Framework PHP (v5.4.36)
6/7/2016 3:32 2/9/2017 5:50 JavaScript Library selectivizr (v1.0.2)
7/21/2016 18:28 2/9/2017 5:50 CMS Joomla! (v1.7.3)
6/7/2016 3:32 2/9/2017 5:50 Ad Network Google
6/7/2016 3:32 2/9/2017 5:50 JavaScript Library MooTools

All of the infected websites that I checked were using Joomla but there are also a lot of infected WordPress sites. If you’re an owner of one of these websites then I suggest you check your default Joomla template for /media/system/js/stat[3 characters].php. Edit the template and remove the script that is pointing to the malicious file. Then delete the malicious file from /media/system/js/. If you see any other randomly named files in the directory that you don’t recognize I would suggest that you inspect them and delete them as you see fit. Also, it seems as though these infections can spread. For example, additional sites might be infected if you’re hosting multiple sites on a single cPanel. I did check mail.k2-enterprises.com and it is using cPanel:

cpanel-server501-webhostingpad-dot-com

cPanel is a web based hosting control panel provided by many hosting providers to website owners allowing them to manage their websites from a web based interface. The actual hosting provider for mail.k2-enterprises.com is webhostingpad.com. The server that it is hosting the site is server501.webhostingpad.com.

Lastly, it is recommended that you change your credentials as they are likely compromised.

A list of 1,000 compromised websites that I found redirecting users to Arpanet1957.com can be located on my Pastebin account: http://pastebin.com/xkf93HV0. There are likely a lot more websites. These are simply the latest 1,000 websites that I could find specifically linked to Arpanet1957.com. This campaign has actually been going on since 2016. For example, @BroadAnalysis documented a couple of these cases back in 2016.

http://www.broadanalysis.com/2016/11/01/fake-flash-update-from-phishing-site-delivers-qadars-banking-malware/

http://www.broadanalysis.com/2016/09/01/fake-flash-update-delivers-tor-bot/

Additionally, there is a more detailed Excel document that shows the first time and last time the websites were seen communicating with Arpanet1957.com. You can download the Excel document here: list-of-domains-2-11-17.xlsx.

Side note: Some of these websites are being injected with the pseudo-Darkleech script which is then redirecting users to RIG-v EK. As you might be aware the pseudo-Darkleech campaign is, as of this moment, favoring Cerber ransomware. For example, the website winnershouse.org is on that list and is one of the sites being injected with the pseudo-Darkleech script. Please proceed with caution if you’re using this list for research.

Moving on with the investigation….

Here is the script found on mail.k2-enterprises.com:

script-on-compromised-site

The script generates an HTTP GET request for the relative path /media/system/js/statfc4.php. The GET request is shown below:

malicious-php-file-contains-script

You can see that within the file there is a script that generates an additional GET request to “hxxp://arpanet1957[.]com/plix/scanner.php?id=4”. Arpanet1957.com was created November 30th, 2016. The Whois record is shown below:

WHOIS Server whois.reg.com
Registrar REGISTRAR OF DOMAIN NAMES REG.RU LLC
Email
ARPANET1957.COM@regprivate.ru (registrant, admin, tech)
Name
Protection of Private Person (registrant, admin, tech)
Organization
Street
PO box 87, REG.RU Protection Service (registrant, admin, tech)
City
Moscow (registrant, admin, tech)
State
Postal
123007 (registrant, admin, tech)
Country
RU (registrant, admin, tech)
Phone
74955801111 (registrant, admin, tech)
Name Servers
ns1.arpanet1957.com
ns2.arpanet1957.com

The geo-location is from Russia (shocked face).

Here is the resolution history of Arpanet1957.com:

IP Address Location ASN First Seen Last Seen
188.120.225.143 RU 29182 1/31/2017 16:48 2/11/2017 23:22
37.58.59.149 DE 28753 1/28/2017 16:06 1/31/2017 16:40
193.169.252.130 UA 49681 12/21/2016 23:19 1/29/2017 0:05
89.163.241.236 DE 24961 12/7/2016 0:00 12/13/2016 8:46

Arpanet1957.com is currently resolving to 188.120.225.143.

The GET request for /plix/scanner.php?id=4 at Arpanet1957.com is shown below:

malicious-file-causes-additional-get-request

The script is looking for the host timezone (tz) and screen resolution (rs). It takes those and uses them in the URI for the next GET request. Below is the GET request showing the timezone and screen resolution in the URI:

get-request-uri-timezone-screen-resolution

The server responds with the location of the fake Flash Player update landing page. In this case we can see that the website is flesh-updates-max.com which is being hosted at 188.120.239.75. Whois information for 188.120.239.75 is as follows:

WHOIS Server whois.ripe.net
Registrar Administered by RIPE NCC
Email abuse@abusehost.ru (registrant)
Name TheFirst-RU clients (WebDC Msk) (registrant)
Organization THEFIRST-NET (registrant)
The First JSC Network Operations (admin)
Street The First JSC (admin, tech)
City Office 2, 34a, Raduzhny m-r (admin, tech)
State
Postal 664017 (admin, tech)
Country RU (registrant)
Irkutsk (admin)
Phone 7 495 663 73 72 (admin, tech)
Name Servers

Resolution history for 188.120.239.75 is as follows:

Domains First Seen Last Seen
ns1.freewebstatistics.net 1/31/2017 5:52 2/12/2017 12:01
ns1.arpanet1957.com 1/31/2017 5:45 2/12/2017 10:35
ns1.flesh-updates-max.com 2/3/2017 0:41 2/12/2017 7:02
adobe-flesh-player.com 1/31/2017 17:04 2/11/2017 11:11
flesh-updates-max.com 2/8/2017 0:00 2/11/2017 4:54
ns1.flesh-updating-new.com 1/31/2017 16:45 2/11/2017 3:37
188.120.239.75 9/9/2013 4:48 2/10/2017 11:24
flashplayer-adobe.com 2/1/2017 1:24 2/10/2017 7:48
www[.]flesh-updates-max.com 2/9/2017 20:00 2/9/2017 20:00
flesh-updating-new.com 2/1/2017 19:34 2/8/2017 8:47
www[.]flashplayer-adobe.com 2/7/2017 16:41 2/7/2017 16:41
www[.]adobe-flesh-player.com 2/1/2017 13:51 2/3/2017 13:32
ns2.flesh-updating-new.com 2/3/2017 1:34 2/3/2017 1:34
mss-russia.ru 10/18/2016 19:50 1/30/2017 18:57
www[.]mss-russia.ru 1/21/2017 18:47 1/24/2017 9:26
uchekhova.com 10/21/2016 20:18 10/23/2016 10:52
csgo-item.ru 3/17/2016 16:01 6/12/2016 18:13
msg01.contatofin.com.br 3/5/2016 14:43 3/5/2016 14:43
interworking.ru 4/29/2015 14:06 5/17/2015 7:14
www[.]interworking.ru 5/6/2015 21:42 5/6/2015 21:43
mail.interworking.ru 4/29/2015 14:06 5/3/2015 8:57
s7.irsol.ru 8/7/2013 16:34 3/9/2015 0:20
i.klubkrasoti.ru 12/7/2013 16:30 3/3/2015 14:39
s.klubkrasoti.ru 8/26/2014 9:35 3/3/2015 14:39
bn.irsol.ru 11/3/2014 12:46 3/2/2015 16:57
ad.irsol.ru 9/11/2014 7:37 3/2/2015 16:57
i.bambiniya.ru 9/20/2013 17:38 3/2/2015 13:03
p.bambiniya.ru 10/1/2014 10:57 3/1/2015 23:43
p.klubkrasoti.ru 9/30/2014 7:29 3/1/2015 20:51
cache.ad.irsol.ru 1/19/2015 7:01 2/28/2015 16:47
content.klubkrasoti.ru 11/26/2014 8:34 2/27/2015 17:30
s.bambiniya.ru 10/1/2014 10:57 2/26/2015 12:36
i.linzapro.ru 10/11/2013 1:08 2/25/2015 20:15
i.angrybirds.ru 10/28/2014 6:40 2/25/2015 16:23
p.idiabet.ru 12/6/2014 5:09 2/20/2015 19:36
favicon.klubkrasoti.ru 9/14/2014 7:54 2/19/2015 9:51
i.medzakupka.ru 11/11/2014 19:30 2/17/2015 7:21
s.idiabet.ru 12/3/2014 16:39 2/14/2015 19:14
p.officialauction.ru 2/10/2015 18:40 2/11/2015 15:24
i.officialauction.ru 2/10/2015 18:40 2/10/2015 18:40
c.idiabet.ru 11/13/2014 13:13 2/6/2015 21:03
s.jbl-store.ru 8/28/2014 12:51 1/25/2015 23:19
p.irsol.ru 11/26/2014 20:15 11/26/2014 20:15
css.klubkrasoti.ru 9/14/2014 7:54 9/14/2014 7:54
js.klubkrasoti.ru 9/14/2014 7:54 9/14/2014 7:54
static.irsol.ru 2/6/2014 15:41 4/6/2014 3:01
img.irsol.ru 10/30/2013 14:23 12/21/2013 19:59
realdomzadanie.ru 3/19/2013 16:23 3/20/2013 3:39
intdomzadanie.ru 3/9/2013 15:12 3/17/2013 3:41
bestdomzadanie.ru 3/1/2013 12:35 3/9/2013 0:48
b.ns.offshore-am.org 12/4/2012 23:50 12/4/2012 23:50
b.ns.gplruhost.net 6/30/2010 7:48 1/18/2012 9:16
www[.]corporateoneassetmgt.com 11/17/2011 15:44 1/18/2012 9:16
b.ns.corporateoneassetmgt.com 7/30/2011 15:46 1/18/2012 9:16
b.ns.mastersfinancialcorp.com 9/4/2010 22:46 12/15/2011 0:33
b.ns.corporatefsg.com 1/13/2011 20:58 1/15/2011 19:16
b.ns.centuryintlventures.com 7/6/2010 15:55 1/2/2011 10:55
b.ns.trcapitalmgmt.com 7/6/2010 15:55 12/30/2010 3:01
b.ns.titanfinancemgmt.com 9/3/2010 18:44 9/5/2010 18:39
b.ns.fortitudeassetconsultants.com 8/13/2010 20:17 8/14/2010 22:03
b.ns.pattersonklein.com 8/12/2010 18:24 8/12/2010 18:24

It is at this point that the users browser will load the fake Flash Player update landing page. Once the page loads the user will be presented with the option of running or downloading the fake Flash Player update.

Below is the GET request for the fake Flash Player update landing page as well as the server’s response:

fake-flash-player-update-landing-page

The server returns a page containing a location.href pointing the host to a Dropbox location that is hosting the malware. Here is an image of the landing page:

The user is given a couple warnings prior to the file being run. If you run the file then it is temporarily stored in the user’s Temporary Internet Files folder.

If you save the file then it is temporarily stored in your Downloads folder. Below are the VirusTotal and Hybrid-Analysis reports for the fake Flash Player update executable:

https://www.virustotal.com/en/file/71882dd469971847c946b0dd01e224178f6b4ee9b19c3bc8f703f57136f70a38/analysis/

https://www.hybrid-analysis.com/sample/71882dd469971847c946b0dd01e224178f6b4ee9b19c3bc8f703f57136f70a38?environmentId=100

Here is another sample that I ran (shown in the video):

https://www.virustotal.com/en/file/a3eeba38fab04762d7d44ca1490f3283aae5f6ea314c4632306f515ea889d04e/analysis/

https://www.hybrid-analysis.com/sample/a3eeba38fab04762d7d44ca1490f3283aae5f6ea314c4632306f515ea889d04e?environmentId=100

Once install_flashplayer_cl25.exe was executed there is a setup progress bar shown on the Desktop:

installing

We also see a .tmp file dropped in %Temp% followed by the creation of a wkbrflhlr.exe in Roaming:

Below are the VirusTotal and Hybrid-Analysis reports for wkbrflhlr.exe:

https://www.virustotal.com/en/file/e9901660bd2f02e9be210c217f8a12f7f0a155964b3b30cd1d2e1467ac20c0bb/analysis/

https://www.hybrid-analysis.com/sample/e9901660bd2f02e9be210c217f8a12f7f0a155964b3b30cd1d2e1467ac20c0bb?environmentId=100

We also see that this executable is used for persistence on the system:

registry-run

Submitting the malware samples to VirusTotal and Hybrid-Analysis shows post-infection traffic that has been identified as Qadars banking malware. Specifically, the Emerging Threats rule that fired was ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC). This detection is coming from the connections to bst2bgxin81a.org and websecuranalityc.com via TCP port 443. Here is the certificate information found in Wireshark:

qadars-cert

Here is the SSL cert information and the date it was blacklisted:

Subject Common Name: microsoft.com/emailAddress=private@sysprivpop.lkdd
Subject: C=US, ST=US, L=NewYork, O=Private, OU=Private, CN=microsoft.com/emailAddress=private@sysprivpop.lkdd
Issuer Common Name: microsoft.com/emailAddress=private@sysprivpop.lkdd
Issuer: C=US, ST=US, L=NewYork, O=Private, OU=Private, CN=microsoft.com/emailAddress=private@sysprivpop.lkdd
SSL Version: TLSv1
Fingerprint (SHA1): b20d20ac3b2492f11a2775d800fd726e14fc6fa6
Status: Blacklisted (Reason: Qadars C&C, Listing date: 2016-04-14 10:29:17)

https://sslbl.abuse.ch/intel/b20d20ac3b2492f11a2775d800fd726e14fc6fa6

Whois information for bst2bgxin81a.org is provided below:

WHOIS Server whois.publicinterestregistry.net
Registrar Regtime Ltd.
Email
prehodko@bk.ru (registrant, admin, tech)
Name
anatoli prehodko (registrant, admin, tech)
Organization
anatoli prehodko (registrant, admin, tech)
Street
City
State
Postal
Country
Phone
79987567365 (registrant, admin, tech)
Name Servers
ns1.bst2bgxin81a.org
ns2.bst2bgxin81a.org

The resolution history for bst2bgxin81a.org is provided below:

IP Address Location ASN First Seen Last Seen
176.36.74.25 UA 39608 2/12/2017 21:21 2/12/2017 21:21
77.122.118.74 UA 25229 2/11/2017 20:03 2/11/2017 20:03
201.22.7.252 BR 18881 2/11/2017 2:19 2/11/2017 2:19
60.53.107.9 MY 4788 2/10/2017 0:00 2/10/2017 0:00
70.91.1.238 US 7922 2/10/2017 0:00 2/10/2017 0:00
88.242.81.78 TR 9121 2/10/2017 0:00 2/10/2017 0:00
78.160.148.78 TR 9121 2/10/2017 0:00 2/10/2017 0:00
116.104.98.5 VN 24086 2/10/2017 0:00 2/10/2017 0:00
178.169.201.205 BG 43205 2/10/2017 0:00 2/10/2017 0:00
170.231.1.134 BR 263439 2/10/2017 0:00 2/10/2017 0:00
115.79.100.191 VN 7552 2/10/2017 0:00 2/10/2017 0:00
78.166.177.172 TR 9121 2/10/2017 0:00 2/10/2017 0:00
117.0.172.75 VN 7552 2/8/2017 0:00 2/10/2017 0:00
77.144.151.203 FR 15557 2/10/2017 0:00 2/10/2017 0:00
1.2.159.110 TH 23969 2/10/2017 0:00 2/10/2017 0:00
176.63.228.21 HU 6830 2/10/2017 0:00 2/10/2017 0:00
159.0.164.7 SA 25019 2/9/2017 0:00 2/9/2017 0:00
85.100.127.29 TR 9121 2/9/2017 0:00 2/9/2017 0:00
185.163.88.80 IR 41856 2/9/2017 0:00 2/9/2017 0:00
1.55.86.117 VN 18403 2/9/2017 0:00 2/9/2017 0:00
82.19.127.92 GB 5089 2/9/2017 0:00 2/9/2017 0:00
83.7.228.142 PL 5617 2/9/2017 0:00 2/9/2017 0:00
151.246.77.162 IR 31549 2/9/2017 0:00 2/9/2017 0:00
130.204.154.162 BG 13124 2/8/2017 16:55 2/8/2017 16:55
88.153.34.164 DE 6830 2/8/2017 0:00 2/8/2017 0:00
151.246.184.58 IR 31549 2/8/2017 0:00 2/8/2017 0:00
86.126.185.190 RO 8708 2/8/2017 0:00 2/8/2017 0:00
217.98.62.48 PL 5617 2/7/2017 0:00 2/8/2017 0:00
151.241.197.74 IR 31549 2/8/2017 0:00 2/8/2017 0:00
218.187.127.15 TW 7482 2/8/2017 0:00 2/8/2017 0:00
190.218.76.141 PA 18809 2/8/2017 0:00 2/8/2017 0:00
197.88.141.18 ZA 10474 2/8/2017 0:00 2/8/2017 0:00
151.237.6.68 BG 35621 2/8/2017 0:00 2/8/2017 0:00
178.148.65.96 RS 31042 2/8/2017 0:00 2/8/2017 0:00
113.189.100.214 VN 45899 2/8/2017 0:00 2/8/2017 0:00
117.204.239.182 IN 9829 2/8/2017 0:00 2/8/2017 0:00
1.55.164.152 VN 18403 2/8/2017 0:00 2/8/2017 0:00
89.150.149.0 DK 39554 2/7/2017 13:46 2/7/2017 13:46
92.62.179.50 IR 44498 2/7/2017 0:00 2/7/2017 0:00
151.242.206.79 IR 31549 2/7/2017 0:00 2/7/2017 0:00
92.242.144.2 GB 45028 2/6/2017 0:00 2/6/2017 0:00

Whois infromation for websecuranalityc.com at 62.75.197.233 is provided below:

WHOIS Server whois.webnames.ru
Registrar REGTIME LTD.
Email
evgeni.plotnikov@inbox.ru (registrant, admin, tech)
Name
Evgeni Plotnikov (registrant, admin, tech)
Organization
Evgeni Plotnikov (registrant, admin, tech)
Street
ul. Lenina, 2, kv.30 (registrant, admin, tech)
City
Kinel (registrant, admin, tech)
State
Samarskaja obl. (registrant, admin, tech)
Postal
443243 (registrant, admin, tech)
Country
RU (registrant, admin, tech)
Phone
74951234567 (registrant, admin, tech)
Name Servers
ns1.websecuranalityc.com
ns2.websecuranalityc.com

We then see Tor.exe downloaded and dropped in Roaming.

After Tor.exe is executed you begin to see the Tor traffic via TCP port 9001. Also, executing Tor.exe creates a “tor” folder in Roaming that contains the necessary files for the Tor client:

Here is the VirusTotal and Hybrid-Analysis for Tor.exe:

https://www.virustotal.com/en/file/8796955247dfcadde58243d8cfdcb416b1b40fd66950433c82a05fc87e803850/analysis/

https://www.hybrid-analysis.com/sample/8796955247dfcadde58243d8cfdcb416b1b40fd66950433c82a05fc87e803850?environmentId=100

IPs to block:

  • 188.120.225.143
  • 188.120.239.75
  • 88.220.96.78
  • 62.75.197.233

You can also use the domains, name servers, etc. from this write-up to create correlation rules to better detect this threat.

If you’re working in a SOC with multiple large customers (or something similar) you will likely find that the some hosts that you monitor will have made connections to Arpanet1957.com as this campaign seems rather large. Fortunately, I think that most firewalls are correctly identifying this traffic, categorizing it as malicious, and blocking it before the host can be redirected to the fake Flash Player update landing page.

Here is some more information on Qadars:

https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/

https://securityintelligence.com/an-analysis-of-the-qadars-trojan/

Update:

March 5th, 2017: Updating this post to include the domain freshmodel.pw as it is now being used instead of arpanet1957.com. Same stuff, just a different domain. The domain was resolving to 85.25.110.8 and 188.120.225.143. It looks like Google finally caught on to this CMS hack and is now categorizing a lot of these Joomla and WordPress sites as infected. The owners of these sites are now posting on various forums looking for solutions.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: