Fake Flashplayer Update Via Exploit Using Adverts On Legit Site

caution malware

For a change this is about an exploit, rather than a malspam email.

I was reading posts on a well known tech forum, when I got a sudden divert and a .hta file attempted to download. Of course I immediately saved the file, rather than letting it run. I won’t name the tech forum at this stage, to allow the admin time to investigate and check what advert I think caused it. It was an advert for HP laserjet printers that was not using flash but did have moving images. I think the divert happened when I moused over the advert whilst scrolling down the page.

Anyway the divert was to https://eiyahpornhub.org/5101454380687/6481137a7f7240574c225b198be9c16d/34cacd8a11e39b3bbc01955b9b1eac15.html ( note the “safe Secure ” https: link) HTTPS does not mean safe. It means secure from interception in normal circumstances.

Update: it looks like the link is dynamically created and changes on each visit from the referrer ( the dodgy advert) . I haven’t been able to get back to the site and get a 404 every time. I can get the .jse file and multiple visits to that is allowed. Lots of exploits refuse to let the same IP & referral id more than 1 attempt to visits to stop antivirus companies and researchers investigating them easily.

This downloaded FlashPlayer.hta ( VirusTotal ) ( Payload Security) which is just an instruction to the computer to use PowerShell to download silently in the background https://eiyahpornhub.org/5101454380687/1491733844471718/FlashPlayer.jse ( VirusTotal ) ( Payload Security) which isn’t showing any further downloads, so I have no idea at this stage what the end malware is intended to be.

This seems very similar to the campaign posted on https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/

In both cases nobody has actually got the final payload. All I managed to get was https://eiyahpornhub.org/67d05900efa21668e417c34f5adb32e1.mp4 ( now down) VirusTotal | MALWR which is just plain txt ( possibly encrypted) that would need the original jse file to decrypt it to something useful. (If it is encrypted txt and not just some sort of identity string )

Whole package as a P/W zip file “infected” 9 april_ fake_flash_player_malvertising just in case some other researcher can make use of it

eiyahpornhub.org was registered yesterday 8 April 2021 https://whois.icann.org/en/lookup?name=eiyahpornhub.org I very much doubt that the listed registrants details are correct. They are probably stolen details and credit card used to register this domain

It appears to be hosted on allegedly used by a Russian entity

Network Whois Record


Queried rwhois.hostwinds.com with ““…

%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-
network:ID:Hostwinds Block-
network:Network-Name:SergSoft Network
network:IP-Network-Block: -
network:Customer Organization:SergSoft
network:Customer Address;I:Krasniy Kazanetz 1-2-88
network:Customer City;I:Moscow
network:Customer State/Province;I:RU
network:Customer Postal Code;I:111395
network:Customer Country Code;I:RU
network:Organization;I:Hostwinds LLC


Queried whois.arin.net with “n“…

NetRange: -
NetName:        HOSTWINDS-17-1
NetHandle:      NET-192-129-128-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS54290
Organization:   Hostwinds LLC. (HL-29)
RegDate:        2013-01-30
Updated:        2013-12-19
Ref:            https://whois.arin.net/rest/net/NET-192-129-128-0-1

OrgName:        Hostwinds LLC.
OrgId:          HL-29
Address:        1002 Reunion Center, 9 East 4th Street
City:           Tulsa
StateProv:      OK
PostalCode:     74103
Country:        US
RegDate:        2011-11-30
Updated:        2017-01-28
Comment:        http://www.hostwinds.com
Comment:        Standard NOC hours are 6:00am to 12:00am CST
Ref:            https://whois.arin.net/rest/org/HL-29

ReferralServer:  rwhois://rwhois.hostwinds.com:4321

OrgTechHandle: HNOC9-ARIN
OrgTechName:   Hostwinds Network Operations Center
OrgTechPhone:  +1-206-886-0665 
OrgTechEmail:  support@hostwinds.com
OrgTechRef:    https://whois.arin.net/rest/poc/HNOC9-ARIN

OrgAbuseHandle: HAC3-ARIN
OrgAbuseName:   Hostwinds Abuse Center
OrgAbusePhone:  +1-206-886-0665 
OrgAbuseEmail:  abuse@hostwinds.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/HAC3-ARIN

OrgNOCName:   Hostwinds Network Operations Center
OrgNOCPhone:  +1-206-886-0665 
OrgNOCEmail:  support@hostwinds.com
OrgNOCRef:    https://whois.arin.net/rest/poc/HNOC9-ARIN

DNS Records

name class type data time to live
eiyahpornhub.org IN SOA
server: ns21.cloudns.net
email: support@cloudns.net
serial: 2017040912
refresh: 7200
retry: 1800
expire: 1209600
minimum ttl: 3600
3600s (01:00:00)
eiyahpornhub.org IN A 60s (00:01:00)
eiyahpornhub.org IN MX
preference: 10
exchange: mail.eiyahpornhub.org
60s (00:01:00)
eiyahpornhub.org IN NS ns23.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns22.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns24.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS ns22.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns21.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns23.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS ns24.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS ns21.cloudns.net 3600s (01:00:00) IN PTR client-192-129-162-108.hostwindsdns.com 14400s (04:00:00)
162.129.192.in-addr.arpa IN SOA
server: 162.129.192.in-addr.arpa
email: hostmaster@162.129.192.in-addr.arpa
serial: 2017032407
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 3600
600s (00:10:00)


Tracing route to eiyahpornhub.org []

hop rtt rtt rtt ip address fully qualified domain name
1 177 0 30 49.10.65d0.ip4.static.sl-reverse.com
2 0 0 0 ae11.dar01.sr01.dal01.networklayer.com
3 0 0 0 ae14.bbr02.eq01.dal03.networklayer.com
4 0 0 0 ae57.edge6.dallas3.level3.net
5 * * *
6 * * *
7 0 2 5 client-23-238-104-129.hostwindsdns.com
8 1 0 0 client-192-129-162-108.hostwindsdns.com

Leave a Reply

Your email address will not be published.

Related Posts