Tuesday, February 20, 2018

YAFF - Yet Another Fake Flash campaign


By Andre' DiMino and Mila Parkour

At this point in Internet history, the prevalence of "Fake Flash" sites is certainly nothing new.
These Fake Flash sites attempt to trick a user into installing what they believe is an update to Adobe Flash. In reality, this "update" is a malicious payload that will compromise their computer.

A typical Fake Flash infection involves a malicious or compromised web site or embedded advertisement that redirects the user to a page indicating that the user's Adobe Flash player is out of date.
In some cases, there are several series of redirects until the final landing page is hit by the user.
This landing page typically is some variation of Figure 1 below.

Figure 1: Typical Fake Flash update page


The trusting user, (who is super eager to watch their Flash content) then clicks the update link at which point the malware is downloaded to the user's computer.  Many varieties of malware, including ransomware and banking trojans have been delivered this way.
Most Fake Flash campaigns are initiated via advertising networks on sites that require Flash to view their content such as streaming movie sites and online games.

So while we don't want to re-hash old news and analysis of FakeFlash, we do wish to raise awareness of a very aggressive FakeFlash/malvertising campaign.
We also wished to provide some IOCs associated with this campaign.

A heavy wave of Fake Flash redirects appeared on our radar.  Literally hundreds of redirects were seen from assorted domains, all with similar network traffic patterns.
Most all of these were associated with advertising redirects from online video streaming sites.
The landing page for these redirects were seen as either fake flash, Amazon gift card, or other malvertising type sites.

Tracing back the network traffic from the Fake Flash landing pages provided information on the redirections.
For example, the following images represent a typical redirection chain that we observed.
We are using CapTipper to present the HTTP sessions for the images.
Starting from the landing page and working up the chain:



Landing page for one redirect chain observed.


Second redirect


First redirect

Again tracing backward through all the network traffic, piecing together all the redirects and HTTP referer fields, we observed what appears to be the source for these malvertising redirects.



Note that a video from a streaming video website was the Referer in a GET request to jwljj.adsb4track[.]com. In almost every instance that we looked at, jwljj.adsb4track[.]com would redirect the browser to one of several domains.  In the example above, the user was directed to srv79.admedit[.]net, which then continued the redirection as seen in the "First redirect" image above.

Other initial redirect domains seen are listed below.

We also noted that for browsing sessions that were not redirected to a fake flash site, the redirection was sent to a page on the domain bestabid[.]com.  This page would redirect the browser to some malvertising, phish, or other traffic monetizing site.

For example, one redirect to the bestabid[.]com page yielded this HTML code:

Example of flash detect and redirect from bestabid[.]com
Note the tracking beacons at
mt.rtmark[.]net and my.rtmark[.]net

So since we've seen so many of these, we thought it would just be best to post some Snort signatures and IOCs associated with this campaign.

Snort Signatures

The following Snort signatures will help detect the redirects seen in this campaign

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BestaBid FakeFlash Redirect 1"; content:"Location"; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/\/\?pcl=[a-zA-Z0-9_-]{86}\x2E\x2E\&cid=/i"; classtype:unknown; sid:xxxxx; rev:1; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BestaBid FakeFlash Redirect 2"; content:"Location"; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/\/\?pcl=[a-zA-Z0-9_-]{43}\x2E\&cid=/xxi"; classtype:unknown; sid:xxxxx; rev:1; )

Initial Redirect Domains & IP addresses

jwljj.adsb4track[.]com - 34.194.20.115 - Amazon AWS
winclicks[.]info - 54.164.252.255 - Amazon AWS

Secondary Redirects

212.129.56.50 - Online SAS / Poneytelecom.eu
195.154.102.90 - Online SAS / Poneytelecom.eu
195.154.50.203 - Online SAS / Poneytelecom.eu
34.236.112.82 - Amazon AWS
5.8.35.154 - LLHost Inc
163.172.21.184 - - Online SAS / Poneytelecom.eu
5.39.223.144 - Hostkey B.V
5.39.223.145 - Hostkey B.V
162.255.117.132 - Namecheap, Inc.
163.172.113.205 - Online SAS / Poneytelecom.eu
163.172.197.138 - Online SAS / Poneytelecom.eu
163.172.197.160 - Online SAS / Poneytelecom.eu
195.154.44.206 - Online SAS / Poneytelecom.eu
198.187.28.7 - Namecheap, Inc.
212.83.133.129 - Online SAS / Poneytelecom.eu
212.83.137.0 - Online SAS / Poneytelecom.eu
212.129.49.120 - Online SAS / Poneytelecom.eu
212.129.50.104 - Online SAS / Poneytelecom.eu
212.129.51.188 - Online SAS / Poneytelecom.eu
212.129.53.8 - Online SAS / Poneytelecom.eu
212.129.53.77 - Online SAS / Poneytelecom.eu
212.129.54.29 - Online SAS / Poneytelecom.eu
212.129.56.97 - Online SAS / Poneytelecom.eu
212.129.56.205 - Online SAS / Poneytelecom.eu
212.129.62.255 - Online SAS / Poneytelecom.eu
195.154.36.167 - Online SAS / Poneytelecom.eu
162.255.117.134 - Namecheap, Inc.
212.83.133.112 - Online SAS / Poneytelecom.eu
163.172.199.130 - Online SAS / Poneytelecom.eu
212.83.167.169 - Iliad / Poneytelecom.eu
163.172.198.43 - Online SAS / Poneytelecom.eu
163.172.198.44 - Online SAS / Poneytelecom.eu
163.172.81.70 - Online SAS / Poneytelecom.eu
195.154.36.167 - Online SAS / Poneytelecom.eu
162.255.117.134 - Namecheap, Inc.
195.154.49.202 - Online SAS / Poneytelecom.eu
195.154.50.203 - Online SAS / Poneytelecom.eu
195.154.36.167 - Online SAS / Poneytelecom.eu
185.176.192.107 - Histate Global

Redirects to landing pages

The landing page redirects were seen hosted on:

195.154.49.202 - Online SAS / Poneytelecom.eu
195.154.50.203 - Online SAS / Poneytelecom.eu
195.154.36.167 - Online SAS / Poneytelecom.eu


Passive DNS
Passive DNS information courtesy of Farsight Security, Inc.

We've identified many many thousands of domains associated with this campaign.
The pDNS results above gives a good indication of the scope and scale of the infrastructure used for this campaign.

Click the above links for a text file containing the Passive DNS information for the listed IP addresses.

Many thanks to Andrei Kornev for his research assistance.

No comments:

Post a Comment