2018-01-02 - FAKE FLASH UPDATER IS ACTUALLY COINMINER MALWARE

ASSOCIATED FILES:

  • 2018-01-02-fake-Flash-player-installs-coinminer-malware.pcap   (713,781 bytes)
  • 2018-01-02-fake-flash-update-page.txt   (9,542 bytes)
  • 2018-01-02-fake-flashupdate.exe   (558,080 bytes)
  • 2018-01-02-scheduled-task-for-malware-persistence.txt   (3,720 bytes)

NOTES:


Shown above:  The fake Flash updater page presenting its malware for download.

 

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTPS URLs from the traffic shown in Fiddler web debugger.

 


Shown above:  Post-infection coinminer traffic.

 

ASSOCIATED DOMAINS:

 

MALWARE

COINMINER MALWARE DOWNLOADED FROM FAKE FLASH UPDATE PAGE:


Shown above:  Fake metadata for the coinminer malware.

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Scheduled task to keep the coinminer malware persitent after a reboot.

 


Shown above:  Coinminer malware copied itself to the C:\ProgramData folder.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.