For a change this is about an exploit, rather than a malspam email.
I was reading posts on a well known tech forum, when I got a sudden divert and a .hta file attempted to download. Of course I immediately saved the file, rather than letting it run. I won’t name the tech forum at this stage, to allow the admin time to investigate and check what advert I think caused it. It was an advert for HP laserjet printers that was not using flash but did have moving images. I think the divert happened when I moused over the advert whilst scrolling down the page.
Anyway the divert was to https://eiyahpornhub.org/5101454380687/6481137a7f7240574c225b198be9c16d/34cacd8a11e39b3bbc01955b9b1eac15.html ( note the “
safe Secure ” https: link) HTTPS does not mean safe. It means secure from interception in normal circumstances.
Update: it looks like the link is dynamically created and changes on each visit from the referrer ( the dodgy advert) . I haven’t been able to get back to the site and get a 404 every time. I can get the .jse file and multiple visits to that is allowed. Lots of exploits refuse to let the same IP & referral id more than 1 attempt to visits to stop antivirus companies and researchers investigating them easily.
This downloaded FlashPlayer.hta ( VirusTotal ) ( Payload Security) which is just an instruction to the computer to use PowerShell to download silently in the background https://eiyahpornhub.org/5101454380687/1491733844471718/FlashPlayer.jse ( VirusTotal ) ( Payload Security) which isn’t showing any further downloads, so I have no idea at this stage what the end malware is intended to be.
This seems very similar to the campaign posted on https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/
In both cases nobody has actually got the final payload. All I managed to get was https://eiyahpornhub.org/67d05900efa21668e417c34f5adb32e1.mp4 ( now down) VirusTotal | MALWR which is just plain txt ( possibly encrypted) that would need the original jse file to decrypt it to something useful. (If it is encrypted txt and not just some sort of identity string )
Whole package as a P/W zip file “infected” 9 april_ fake_flash_player_malvertising just in case some other researcher can make use of it
eiyahpornhub.org was registered yesterday 8 April 2017 https://whois.icann.org/en/lookup?name=eiyahpornhub.org I very much doubt that the listed registrants details are correct. They are probably stolen details and credit card used to register this domain
It appears to be hosted on 188.8.131.52 allegedly used by a Russian entity
Network Whois record
Queried rwhois.hostwinds.com with “184.108.40.206“…%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-220.127.116.11) network:Class-Name:network network:ID:Hostwinds Block-18.104.22.168/32 network:Auth-Area:22.214.171.124/32 network:Network-Name:SergSoft Network network:IP-Network:126.96.36.199/32 network:IP-Network-Block:188.8.131.52 - 184.108.40.206 network:Customer Organization:SergSoft network:Customer Address;I:Krasniy Kazanetz 1-2-88 network:Customer City;I:Moscow network:Customer State/Province;I:RU network:Customer Postal Code;I:111395 network:Customer Country Code;I:RU network:Organization;I:Hostwinds LLC network:Tech-Contact;I:Abuse@hostwinds.com network:Admin-Contact;I:Abuse@hostwinds.com network:Abuse-Contact;I:Abuse@hostwinds.com %ok
Queried whois.arin.net with “n 220.127.116.11“…NetRange: 18.104.22.168 - 22.214.171.124 CIDR: 126.96.36.199/17 NetName: HOSTWINDS-17-1 NetHandle: NET-192-129-128-0-1 Parent: NET192 (NET-192-0-0-0-0) NetType: Direct Allocation OriginAS: AS54290 Organization: Hostwinds LLC. (HL-29) RegDate: 2013-01-30 Updated: 2013-12-19 Ref: https://whois.arin.net/rest/net/NET-192-129-128-0-1 OrgName: Hostwinds LLC. OrgId: HL-29 Address: 1002 Reunion Center, 9 East 4th Street City: Tulsa StateProv: OK PostalCode: 74103 Country: US RegDate: 2011-11-30 Updated: 2017-01-28 Comment: http://www.hostwinds.com Comment: Standard NOC hours are 6:00am to 12:00am CST Ref: https://whois.arin.net/rest/org/HL-29 ReferralServer: rwhois://rwhois.hostwinds.com:4321 OrgTechHandle: HNOC9-ARIN OrgTechName: Hostwinds Network Operations Center OrgTechPhone: +1-206-886-0665 OrgTechEmail: firstname.lastname@example.org OrgTechRef: https://whois.arin.net/rest/poc/HNOC9-ARIN OrgAbuseHandle: HAC3-ARIN OrgAbuseName: Hostwinds Abuse Center OrgAbusePhone: +1-206-886-0665 OrgAbuseEmail: email@example.com OrgAbuseRef: https://whois.arin.net/rest/poc/HAC3-ARIN OrgNOCHandle: HNOC9-ARIN OrgNOCName: Hostwinds Network Operations Center OrgNOCPhone: +1-206-886-0665 OrgNOCEmail: firstname.lastname@example.org OrgNOCRef: https://whois.arin.net/rest/poc/HNOC9-ARIN
name class type data time to live eiyahpornhub.org IN SOA
server: ns21.cloudns.net email: email@example.com serial: 2017040912 refresh: 7200 retry: 1800 expire: 1209600 minimum ttl: 3600 3600s (01:00:00) eiyahpornhub.org IN A 188.8.131.52 60s (00:01:00) eiyahpornhub.org IN MX
preference: 10 exchange: mail.eiyahpornhub.org 60s (00:01:00) eiyahpornhub.org IN NS ns23.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS pns22.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS pns24.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS ns22.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS pns21.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS pns23.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS ns24.cloudns.net 3600s (01:00:00) eiyahpornhub.org IN NS ns21.cloudns.net 3600s (01:00:00) 184.108.40.206.in-addr.arpa IN PTR client-192-129-162-108.hostwindsdns.com 14400s (04:00:00) 162.129.192.in-addr.arpa IN SOA
server: 162.129.192.in-addr.arpa email: firstname.lastname@example.org serial: 2017032407 refresh: 10800 retry: 3600 expire: 604800 minimum ttl: 3600 600s (00:10:00)
Tracing route to eiyahpornhub.org [220.127.116.11]…
hop rtt rtt rtt ip address fully qualified domain name
1 177 0 30 18.104.22.168 49.10.65d0.ip4.static.sl-reverse.com
2 0 0 0 22.214.171.124 ae11.dar01.sr01.dal01.networklayer.com
3 0 0 0 126.96.36.199 ae14.bbr02.eq01.dal03.networklayer.com
4 0 0 0 188.8.131.52 ae57.edge6.dallas3.level3.net
5 * * *
6 * * *
7 0 2 5 184.108.40.206 client-23-238-104-129.hostwindsdns.com
8 1 0 0 220.127.116.11 client-192-129-162-108.hostwindsdns.com