Goal: Review and document latest BlackTDS traffic distribution leading to fake Adobe Flash Player and its social engineering theme.
Background
4-2-2018: Drive-by: #BlackTDS social engineering theme
“Adobe Flash Player is out of date” 🤔
(24newsoft.theonlygoodplacecontentsafeup[.download)
-> Leads to fake Adobe Flash Player #adware
Watch out for unofficial Adobe Flash installs 🧐#Malware: https://t.co/4P7XD8PE27 pic.twitter.com/pZWkaBFsSG— Vitali Kremez (@VK_Intel) April 2, 2018
https://platform.twitter.com/widgets.js Traffic chain
I. BlackTDS domain redirect hxxp://smarttraffics[.]gq:
II. Popunder domain redirect using inser /register with hidden visibility.
hxxp://popcash[.]net/world/go/162193/360683
hxxp://popcash[.]net/world/go/162193/360683
III. Popunder redirect
hxxp://www[.]thegreatfreesystemosforcontenting[.]date/?pcl=&subid=
IV. Fake “Adobe Flash Player” adware redirect:
IV. Fake “Adobe Flash Player” adware redirect:
Domain: hxxp://24newsoft[.]theonlygoodplacecontentsafeup[.]download/?pcl=&subid=&v_id=
V. Fake “Adobe Flash Player” adware download:
Domain: hxxp://www.bestrepositorytours[.]com/
Domain: hxxp://www.bestrepositorytours[.]com/
Addendum: Indicators of Compromise (IOCs):
Domain:
- Domain: hxxp://smarttraffics[.]gq
Popunder:
- Domain: hxxp://popcash[.]net/world/go/162193/360683
Popunder redirect:
- Domain: hxxp://www[.]thegreatfreesystemosforcontenting[.]date/?pcl=&subid=
Fake Adobe Flash Player Adware Redirect:
- Domain: hxxp://24newsoft[.]theonlygoodplacecontentsafeup[.]download/?pcl=&subid=&v_id=
Fake Adobe Flash Player Adware Download:
- Domain: hxxp://www.bestrepositorytours[.]com/
Fake Adobe Flash Player Adware:
- MD5: 69708785506cf581ea5f81725bdb849b
Update (April 3, 2018): Edited domain referrer to hxxp://smarttraffics[.]gq
Reverse Engineering, Malware Deep Insight 