On the 9th of August, a tweet from @MalwareHunterTeam caught my eye; it mentioned a fake Flash update that used a PowerShell script to connect to a very particular host:
Upon investigating this domain, I found it to be part of a watering hole attack on a news website popular in the middle east. In this blog, I’ll summarize the findings and what is currently known about this attack. As of now, the malicious hosts are down, but with the actors still in control, this attack can once again become a threat at any time. The actual investigation was a combination of research by @MalwareHunterTeam, @VK_Intel, and me (@ydklijnsma), which happened live on Twitter. The entire conversation of the investigation can be followed by reading the original tweet that started it [here] or by reading the summary below.
Finding the source
The fake Flash updater sample (VirusTotal) contacted browser.updateplugin.org over HTTPS. The domain really piqued my interest because I couldn’t believe such a name would still be open for registration to be used by an attacker, but apparently, it was. Registered on June 23rd, the domain had been active only shortly, and a quick pivot through RiskIQ PassiveTotal showed a variety of subdomains:
A very interesting aspect of this domain was that we had already seen it in RiskIQ’s crawls of the Internet. One of its subdomains links to a website called muslm.org, which is a news website popular in the middle east:
A forum post on the muslm.org website shows a user noticed it around August 8th, posting that he was getting served a Flash update request. Another user noted it was, in fact, a malicious Flash update: u0647u0644 u0645u0648u0642u0639 u0627u0646u0627 u0627u0644u0645u0633u0644u0645 u0645u0635u0627u0628 u0628u0641u0627u064au0631u0648u0633. After investigating our crawl data, it was apparent something was redirecting visitors to a subdomain on the same domain as the sample:
A copy of the injected content is available on Pastebin as per the request of other researchers:
- The news.js script as observed on the 8th of July: https://pastebin.com/PxbWQAHb
- The news.js script as observed on the 1st of August: https://pastebin.com/HGYKkmv1
Interestingly, the page responds differently depending on the country from which you connect to it, or user-agent used to connect to it. For example, most of the RiskIQ web crawls in which our virtual browser was redirected to the legitimate Adobe Flash update page look like this:
While in other cases, we received the page response instead of the Adobe redirect, a download for a payload that looks like this:
The payload comes in two forms, a Windows version with which you connect with a Windows user-agent and a Linux version with which you connect with a Linux user-agent. Both function identically, with the same fake Flash player update lure while contacting the browser.updateplugin.org host in the background.
The file at this location is rotated quite frequently, so we’ve collected a large number of unique samples. The functionality of the samples is all the same, which is why the IOC section only lists a single hash for both platforms.
We’ll take a look at the Windows variant listed as MD5 f8e95ded1629441ac9ce0d18fa67accf. When running the malware, it mimics the Flash Player update process:
The malware is written in C#, which means we can decompile the malware with a tool like ILSpy giving us the (near) original code written by the author if no obfuscation was used, which in this case, it wasn’t.
The malware’s fake Flash update GUI is a simple form with a timer that increases the progress bar with 1% every 20 milliseconds until it reaches 100%, telling the user ‘Plugin Flash Updated to the latest version”. In the background, the malware spawns a new thread that runs a function called Updatef, which looks like this:
The str variable is decoded and run as a PowerShell command. Decoded, the PowerShell command looks like this:
The script will connect to browser.updateplugin.org over HTTPS with a unique (and fake) PHPSESSID header. The response of this request is run as another PowerShell command that allows the attackers to execute additional commands on the infected machine. The iex function used in the try-catch section of the script is, in fact, short for Invoke-Expression, which allows the PowerShell script to invoke other PowerShell scripts.
This small PowerShell script is a very bare-minimum implementation of a backdoor that polls the backend for new/additional commands to execute, giving the attackers full control over the victim through this fake Flash update. Under Linux, this sample principle is implemented, but uses the wget command in combination with shell commands rather than PowerShell:
Interestingly, the authors have added a check in case the command they send to the victim causes an error. This error information is then sent back to the C2 server in a barebones form of quality assurance and debugging.
Indicators of Compromise (IOCs)
The following IOCs are available for this watering hole attack active from late July to mid-August. The hosts are still up, but it seems the service behind it was pulled down.
We’ve listed only two hashes for the known files for Windows and the ELF variant because the hashes are different for almost every download, but the core functionality is the same. Because of these rotating hashes, we suggest blocking the domains and IPs while looking for traces of them in older logs, as this activity could go back to late July.
Besides the IOCs listed above, I also created a public project in RiskIQ Community Edition for those who sync their data from it: [RiskIQ Community Project: WATERHOLING ACTIVITIES IN THE MIDDLE EAST (JULY-AUGUST 2017)]
In addition to monitoring and protecting the company’s network and network perimeter, security defenders must continually monitor their company's digital footprint for changes. Such vigilance requires current Internet intelligence, which RiskIQ collects via our network of crawlers, sensors, and proxy users. These virtual users emulate human users with a fully instrumented browser to store the entire chain of events that may have lead to a digital threat, such as a compromised page leading to malware. With this information, security teams can reconstruct an event and what led to it—just like we did in this blog.
To learn more, visit our platform page, or contact us today.