Back to Posts

Fake Flash Update delivers Qadars Trojan

Posted in trojan

Fake Flash Update delivers Qadars Trojan


Notes:

- Today we have a redirect from a compromised site to a Fake Flash Update.

- The payload is being served via Dropbox over HTTPS.

- Further network signatures have been submitted to EmergingThreats review and public release



Domains and IP Addresses:

64.187.183.164   www.voyagessuperprix.com   Compromised site
188.120.225.143   arpanet1957.com   Evil Redirect
188.120.239.75   flesh-updates-max.com   Fake Flash Site
117.3.239.21   bst2bgxin81a.org   Qadars Trojan CnC
62.75.197.233   websecuranalityc.com   Qadars Trojan CnC
   koktail24.com   Qadars Trojan CnC
   angela127.com   Qadars Trojan CnC
   liveskansys.com   Qadars Trojan CnC



Traffic:

image-title-here Infection Chain + Qadars Traffic


image-title-here Fake Flash Update page


image-title-here compromised site redirecting to statab1.php


image-title-here statab1.php redirecting to Evil Redirect


image-title-here Evil Redirect


image-title-here Redirect to Fake Flash page


image-title-here Link to Fake Flash hosted at Dropbox



Network Signatures:

ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2
ET INFO Possible Phish - Mirrored Website Comment Observed
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)
ETPRO TROJAN Qadars 2.0 CnC DNS Lookup (koktail24.com)
ETPRO TROJAN Qadars 2.0 CnC DNS Lookup (angela127.com)



File Hashes:

Detection ratio: 9 / 55 Link

SHA256: a3eeba38fab04762d7d44ca1490f3283aae5f6ea314c4632306f515ea889d04e
File type: Win32 EXE

image-title-here Virustotal Results



HTTrack Usage:

image-title-here Fake Flash Website was copied from update-flash-player.com



SSL Information:

image-title-here SSL Certs from Qadars



associated files:
avaliable on request

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG-v from 195.133.49.200 sends CryptoShield Ransomware