Traffic:
Infection Chain (Run on 02/10/17):
There appears to be thousands of websites that were compromised and had been redirecting users to fake Flash Player update sites. For the most part they seem to be delivering Qadars banking malware. I was originally tipped off to a potentially compromised site a couple weeks ago by somebody who wishes to remain anonymous (thank you!). As I was checking the site I was able to confirm that the site was compromised as it redirected me to Arpanet1957.com. Users were then redirected to a fake Flash Player update site where they are social engineered to run the malicious executable.
The compromised website that I used was a sub-domain called mail.k2-enterprises.com. Once the site loaded in the browser there was an HTTP GET request for statfc4.php. The file was located within the directory /media/system/js/.
Further examination shows the following components for mail.k2-enterprises.com:
| First Seen | Last Seen | Category | Value |
| 6/3/2016 6:56 | 2/10/2017 7:50 | Server | Apache |
| 6/7/2016 3:32 | 2/9/2017 5:50 | Framework | PHP (v5.4.36) |
| 6/7/2016 3:32 | 2/9/2017 5:50 | JavaScript Library | selectivizr (v1.0.2) |
| 7/21/2016 18:28 | 2/9/2017 5:50 | CMS | Joomla! (v1.7.3) |
| 6/7/2016 3:32 | 2/9/2017 5:50 | Ad Network | |
| 6/7/2016 3:32 | 2/9/2017 5:50 | JavaScript Library | MooTools |
All of the infected websites that I checked were using Joomla but there are also a lot of infected WordPress sites. If you’re an owner of one of these websites then I suggest you check your default Joomla template for /media/system/js/stat[3 characters].php. Edit the template and remove the script that is pointing to the malicious file. Then delete the malicious file from /media/system/js/. If you see any other randomly named files in the directory that you don’t recognize I would suggest that you inspect them and delete them as you see fit. Also, it seems as though these infections can spread. For example, additional sites might be infected if you’re hosting multiple sites on a single cPanel. I did check mail.k2-enterprises.com and it is using cPanel:
cPanel is a web based hosting control panel provided by many hosting providers to website owners allowing them to manage their websites from a web based interface. The actual hosting provider for mail.k2-enterprises.com is webhostingpad.com. The server that it is hosting the site is server501.webhostingpad.com.
Lastly, it is recommended that you change your credentials as they are likely compromised.
A list of 1,000 compromised websites that I found redirecting users to Arpanet1957.com can be located on my Pastebin account: http://pastebin.com/xkf93HV0. There are likely a lot more websites. These are simply the latest 1,000 websites that I could find specifically linked to Arpanet1957.com. This campaign has actually been going on since 2016. For example, @BroadAnalysis documented a couple of these cases back in 2016.
http://www.broadanalysis.com/2016/09/01/fake-flash-update-delivers-tor-bot/
Additionally, there is a more detailed Excel document that shows the first time and last time the websites were seen communicating with Arpanet1957.com. You can download the Excel document here: list-of-domains-2-11-17.xlsx.
Side note: Some of these websites are being injected with the pseudo-Darkleech script which is then redirecting users to RIG-v EK. As you might be aware the pseudo-Darkleech campaign is, as of this moment, favoring Cerber ransomware. For example, the website winnershouse.org is on that list and is one of the sites being injected with the pseudo-Darkleech script. Please proceed with caution if you’re using this list for research.
Moving on with the investigation….
Here is the script found on mail.k2-enterprises.com:
The script generates an HTTP GET request for the relative path /media/system/js/statfc4.php. The GET request is shown below:
You can see that within the file there is a script that generates an additional GET request to “hxxp://arpanet1957[.]com/plix/scanner.php?id=4”. Arpanet1957.com was created November 30th, 2016. The Whois record is shown below:
| WHOIS Server | whois.reg.com |
| Registrar | REGISTRAR OF DOMAIN NAMES REG.RU LLC |
|
ARPANET1957.COM@regprivate.ru (registrant, admin, tech)
|
|
| Name |
Protection of Private Person (registrant, admin, tech)
|
| Organization | |
| Street |
PO box 87, REG.RU Protection Service (registrant, admin, tech)
|
| City |
Moscow (registrant, admin, tech)
|
| State | |
| Postal |
123007 (registrant, admin, tech)
|
| Country |
RU (registrant, admin, tech)
|
| Phone |
74955801111 (registrant, admin, tech)
|
| Name Servers |
ns1.arpanet1957.com
ns2.arpanet1957.com
|
The geo-location is from Russia (shocked face).
Here is the resolution history of Arpanet1957.com:
| IP Address | Location | ASN | First Seen | Last Seen |
| 188.120.225.143 | RU | 29182 | 1/31/2017 16:48 | 2/11/2017 23:22 |
| 37.58.59.149 | DE | 28753 | 1/28/2017 16:06 | 1/31/2017 16:40 |
| 193.169.252.130 | UA | 49681 | 12/21/2016 23:19 | 1/29/2017 0:05 |
| 89.163.241.236 | DE | 24961 | 12/7/2016 0:00 | 12/13/2016 8:46 |
Arpanet1957.com is currently resolving to 188.120.225.143.
The GET request for /plix/scanner.php?id=4 at Arpanet1957.com is shown below:
The script is looking for the host timezone (tz) and screen resolution (rs). It takes those and uses them in the URI for the next GET request. Below is the GET request showing the timezone and screen resolution in the URI:
The server responds with the location of the fake Flash Player update landing page. In this case we can see that the website is flesh-updates-max.com which is being hosted at 188.120.239.75. Whois information for 188.120.239.75 is as follows:
| WHOIS Server | whois.ripe.net |
| Registrar | Administered by RIPE NCC |
| abuse@abusehost.ru (registrant) | |
| Name | TheFirst-RU clients (WebDC Msk) (registrant) |
| Organization | THEFIRST-NET (registrant) |
| The First JSC Network Operations (admin) | |
| Street | The First JSC (admin, tech) |
| City | Office 2, 34a, Raduzhny m-r (admin, tech) |
| State | |
| Postal | 664017 (admin, tech) |
| Country | RU (registrant) |
| Irkutsk (admin) | |
| Phone | 7 495 663 73 72 (admin, tech) |
| Name Servers |
Resolution history for 188.120.239.75 is as follows:
| Domains | First Seen | Last Seen |
| ns1.freewebstatistics.net | 1/31/2017 5:52 | 2/12/2017 12:01 |
| ns1.arpanet1957.com | 1/31/2017 5:45 | 2/12/2017 10:35 |
| ns1.flesh-updates-max.com | 2/3/2017 0:41 | 2/12/2017 7:02 |
| adobe-flesh-player.com | 1/31/2017 17:04 | 2/11/2017 11:11 |
| flesh-updates-max.com | 2/8/2017 0:00 | 2/11/2017 4:54 |
| ns1.flesh-updating-new.com | 1/31/2017 16:45 | 2/11/2017 3:37 |
| 188.120.239.75 | 9/9/2013 4:48 | 2/10/2017 11:24 |
| flashplayer-adobe.com | 2/1/2017 1:24 | 2/10/2017 7:48 |
| www[.]flesh-updates-max.com | 2/9/2017 20:00 | 2/9/2017 20:00 |
| flesh-updating-new.com | 2/1/2017 19:34 | 2/8/2017 8:47 |
| www[.]flashplayer-adobe.com | 2/7/2017 16:41 | 2/7/2017 16:41 |
| www[.]adobe-flesh-player.com | 2/1/2017 13:51 | 2/3/2017 13:32 |
| ns2.flesh-updating-new.com | 2/3/2017 1:34 | 2/3/2017 1:34 |
| mss-russia.ru | 10/18/2016 19:50 | 1/30/2017 18:57 |
| www[.]mss-russia.ru | 1/21/2017 18:47 | 1/24/2017 9:26 |
| uchekhova.com | 10/21/2016 20:18 | 10/23/2016 10:52 |
| csgo-item.ru | 3/17/2016 16:01 | 6/12/2016 18:13 |
| msg01.contatofin.com.br | 3/5/2016 14:43 | 3/5/2016 14:43 |
| interworking.ru | 4/29/2015 14:06 | 5/17/2015 7:14 |
| www[.]interworking.ru | 5/6/2015 21:42 | 5/6/2015 21:43 |
| mail.interworking.ru | 4/29/2015 14:06 | 5/3/2015 8:57 |
| s7.irsol.ru | 8/7/2013 16:34 | 3/9/2015 0:20 |
| i.klubkrasoti.ru | 12/7/2013 16:30 | 3/3/2015 14:39 |
| s.klubkrasoti.ru | 8/26/2014 9:35 | 3/3/2015 14:39 |
| bn.irsol.ru | 11/3/2014 12:46 | 3/2/2015 16:57 |
| ad.irsol.ru | 9/11/2014 7:37 | 3/2/2015 16:57 |
| i.bambiniya.ru | 9/20/2013 17:38 | 3/2/2015 13:03 |
| p.bambiniya.ru | 10/1/2014 10:57 | 3/1/2015 23:43 |
| p.klubkrasoti.ru | 9/30/2014 7:29 | 3/1/2015 20:51 |
| cache.ad.irsol.ru | 1/19/2015 7:01 | 2/28/2015 16:47 |
| content.klubkrasoti.ru | 11/26/2014 8:34 | 2/27/2015 17:30 |
| s.bambiniya.ru | 10/1/2014 10:57 | 2/26/2015 12:36 |
| i.linzapro.ru | 10/11/2013 1:08 | 2/25/2015 20:15 |
| i.angrybirds.ru | 10/28/2014 6:40 | 2/25/2015 16:23 |
| p.idiabet.ru | 12/6/2014 5:09 | 2/20/2015 19:36 |
| favicon.klubkrasoti.ru | 9/14/2014 7:54 | 2/19/2015 9:51 |
| i.medzakupka.ru | 11/11/2014 19:30 | 2/17/2015 7:21 |
| s.idiabet.ru | 12/3/2014 16:39 | 2/14/2015 19:14 |
| p.officialauction.ru | 2/10/2015 18:40 | 2/11/2015 15:24 |
| i.officialauction.ru | 2/10/2015 18:40 | 2/10/2015 18:40 |
| c.idiabet.ru | 11/13/2014 13:13 | 2/6/2015 21:03 |
| s.jbl-store.ru | 8/28/2014 12:51 | 1/25/2015 23:19 |
| p.irsol.ru | 11/26/2014 20:15 | 11/26/2014 20:15 |
| css.klubkrasoti.ru | 9/14/2014 7:54 | 9/14/2014 7:54 |
| js.klubkrasoti.ru | 9/14/2014 7:54 | 9/14/2014 7:54 |
| static.irsol.ru | 2/6/2014 15:41 | 4/6/2014 3:01 |
| img.irsol.ru | 10/30/2013 14:23 | 12/21/2013 19:59 |
| realdomzadanie.ru | 3/19/2013 16:23 | 3/20/2013 3:39 |
| intdomzadanie.ru | 3/9/2013 15:12 | 3/17/2013 3:41 |
| bestdomzadanie.ru | 3/1/2013 12:35 | 3/9/2013 0:48 |
| b.ns.offshore-am.org | 12/4/2012 23:50 | 12/4/2012 23:50 |
| b.ns.gplruhost.net | 6/30/2010 7:48 | 1/18/2012 9:16 |
| www[.]corporateoneassetmgt.com | 11/17/2011 15:44 | 1/18/2012 9:16 |
| b.ns.corporateoneassetmgt.com | 7/30/2011 15:46 | 1/18/2012 9:16 |
| b.ns.mastersfinancialcorp.com | 9/4/2010 22:46 | 12/15/2011 0:33 |
| b.ns.corporatefsg.com | 1/13/2011 20:58 | 1/15/2011 19:16 |
| b.ns.centuryintlventures.com | 7/6/2010 15:55 | 1/2/2011 10:55 |
| b.ns.trcapitalmgmt.com | 7/6/2010 15:55 | 12/30/2010 3:01 |
| b.ns.titanfinancemgmt.com | 9/3/2010 18:44 | 9/5/2010 18:39 |
| b.ns.fortitudeassetconsultants.com | 8/13/2010 20:17 | 8/14/2010 22:03 |
| b.ns.pattersonklein.com | 8/12/2010 18:24 | 8/12/2010 18:24 |
It is at this point that the users browser will load the fake Flash Player update landing page. Once the page loads the user will be presented with the option of running or downloading the fake Flash Player update.
Below is the GET request for the fake Flash Player update landing page as well as the server’s response:
The server returns a page containing a location.href pointing the host to a Dropbox location that is hosting the malware. Here is an image of the landing page:
The user is given a couple warnings prior to the file being run. If you run the file then it is temporarily stored in the user’s Temporary Internet Files folder.
If you save the file then it is temporarily stored in your Downloads folder. Below are the VirusTotal and Hybrid-Analysis reports for the fake Flash Player update executable:
Here is another sample that I ran (shown in the video):
Once install_flashplayer_cl25.exe was executed there is a setup progress bar shown on the Desktop:
We also see a .tmp file dropped in %Temp% followed by the creation of a wkbrflhlr.exe in Roaming:
Below are the VirusTotal and Hybrid-Analysis reports for wkbrflhlr.exe:
We also see that this executable is used for persistence on the system:
Submitting the malware samples to VirusTotal and Hybrid-Analysis shows post-infection traffic that has been identified as Qadars banking malware. Specifically, the Emerging Threats rule that fired was ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC). This detection is coming from the connections to bst2bgxin81a.org and websecuranalityc.com via TCP port 443. Here is the certificate information found in Wireshark:
Here is the SSL cert information and the date it was blacklisted:
| Subject Common Name: | microsoft.com/emailAddress=private@sysprivpop.lkdd |
| Subject: | C=US, ST=US, L=NewYork, O=Private, OU=Private, CN=microsoft.com/emailAddress=private@sysprivpop.lkdd |
| Issuer Common Name: | microsoft.com/emailAddress=private@sysprivpop.lkdd |
| Issuer: | C=US, ST=US, L=NewYork, O=Private, OU=Private, CN=microsoft.com/emailAddress=private@sysprivpop.lkdd |
| SSL Version: | TLSv1 |
| Fingerprint (SHA1): | b20d20ac3b2492f11a2775d800fd726e14fc6fa6 |
| Status: | Blacklisted (Reason: Qadars C&C, Listing date: 2016-04-14 10:29:17) |
https://sslbl.abuse.ch/intel/b20d20ac3b2492f11a2775d800fd726e14fc6fa6
Whois information for bst2bgxin81a.org is provided below:
| WHOIS Server | whois.publicinterestregistry.net |
| Registrar | Regtime Ltd. |
|
prehodko@bk.ru (registrant, admin, tech)
|
|
| Name |
anatoli prehodko (registrant, admin, tech)
|
| Organization |
anatoli prehodko (registrant, admin, tech)
|
| Street | |
| City | |
| State | |
| Postal | |
| Country | |
| Phone |
79987567365 (registrant, admin, tech)
|
| Name Servers |
ns1.bst2bgxin81a.org
ns2.bst2bgxin81a.org
|
The resolution history for bst2bgxin81a.org is provided below:
| IP Address | Location | ASN | First Seen | Last Seen |
| 176.36.74.25 | UA | 39608 | 2/12/2017 21:21 | 2/12/2017 21:21 |
| 77.122.118.74 | UA | 25229 | 2/11/2017 20:03 | 2/11/2017 20:03 |
| 201.22.7.252 | BR | 18881 | 2/11/2017 2:19 | 2/11/2017 2:19 |
| 60.53.107.9 | MY | 4788 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 70.91.1.238 | US | 7922 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 88.242.81.78 | TR | 9121 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 78.160.148.78 | TR | 9121 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 116.104.98.5 | VN | 24086 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 178.169.201.205 | BG | 43205 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 170.231.1.134 | BR | 263439 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 115.79.100.191 | VN | 7552 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 78.166.177.172 | TR | 9121 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 117.0.172.75 | VN | 7552 | 2/8/2017 0:00 | 2/10/2017 0:00 |
| 77.144.151.203 | FR | 15557 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 1.2.159.110 | TH | 23969 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 176.63.228.21 | HU | 6830 | 2/10/2017 0:00 | 2/10/2017 0:00 |
| 159.0.164.7 | SA | 25019 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 85.100.127.29 | TR | 9121 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 185.163.88.80 | IR | 41856 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 1.55.86.117 | VN | 18403 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 82.19.127.92 | GB | 5089 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 83.7.228.142 | PL | 5617 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 151.246.77.162 | IR | 31549 | 2/9/2017 0:00 | 2/9/2017 0:00 |
| 130.204.154.162 | BG | 13124 | 2/8/2017 16:55 | 2/8/2017 16:55 |
| 88.153.34.164 | DE | 6830 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 151.246.184.58 | IR | 31549 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 86.126.185.190 | RO | 8708 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 217.98.62.48 | PL | 5617 | 2/7/2017 0:00 | 2/8/2017 0:00 |
| 151.241.197.74 | IR | 31549 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 218.187.127.15 | TW | 7482 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 190.218.76.141 | PA | 18809 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 197.88.141.18 | ZA | 10474 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 151.237.6.68 | BG | 35621 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 178.148.65.96 | RS | 31042 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 113.189.100.214 | VN | 45899 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 117.204.239.182 | IN | 9829 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 1.55.164.152 | VN | 18403 | 2/8/2017 0:00 | 2/8/2017 0:00 |
| 89.150.149.0 | DK | 39554 | 2/7/2017 13:46 | 2/7/2017 13:46 |
| 92.62.179.50 | IR | 44498 | 2/7/2017 0:00 | 2/7/2017 0:00 |
| 151.242.206.79 | IR | 31549 | 2/7/2017 0:00 | 2/7/2017 0:00 |
| 92.242.144.2 | GB | 45028 | 2/6/2017 0:00 | 2/6/2017 0:00 |
Whois infromation for websecuranalityc.com at 62.75.197.233 is provided below:
| WHOIS Server | whois.webnames.ru |
| Registrar | REGTIME LTD. |
|
evgeni.plotnikov@inbox.ru (registrant, admin, tech)
|
|
| Name |
Evgeni Plotnikov (registrant, admin, tech)
|
| Organization |
Evgeni Plotnikov (registrant, admin, tech)
|
| Street |
ul. Lenina, 2, kv.30 (registrant, admin, tech)
|
| City |
Kinel (registrant, admin, tech)
|
| State |
Samarskaja obl. (registrant, admin, tech)
|
| Postal |
443243 (registrant, admin, tech)
|
| Country |
RU (registrant, admin, tech)
|
| Phone |
74951234567 (registrant, admin, tech)
|
| Name Servers |
ns1.websecuranalityc.com
ns2.websecuranalityc.com
|
We then see Tor.exe downloaded and dropped in Roaming.
After Tor.exe is executed you begin to see the Tor traffic via TCP port 9001. Also, executing Tor.exe creates a “tor” folder in Roaming that contains the necessary files for the Tor client:
Here is the VirusTotal and Hybrid-Analysis for Tor.exe:
IPs to block:
- 188.120.225.143
- 188.120.239.75
- 88.220.96.78
- 62.75.197.233
You can also use the domains, name servers, etc. from this write-up to create correlation rules to better detect this threat.
If you’re working in a SOC with multiple large customers (or something similar) you will likely find that the some hosts that you monitor will have made connections to Arpanet1957.com as this campaign seems rather large. Fortunately, I think that most firewalls are correctly identifying this traffic, categorizing it as malicious, and blocking it before the host can be redirected to the fake Flash Player update landing page.
Here is some more information on Qadars:
https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/
https://securityintelligence.com/an-analysis-of-the-qadars-trojan/
Update:
March 5th, 2017: Updating this post to include the domain freshmodel.pw as it is now being used instead of arpanet1957.com. Same stuff, just a different domain. The domain was resolving to 85.25.110.8 and 188.120.225.143. It looks like Google finally caught on to this CMS hack and is now categorizing a lot of these Joomla and WordPress sites as infected. The owners of these sites are now posting on various forums looking for solutions.
Malware breakdown 