2022-12-29-IOCs-for-malware-from-fake-Adobe-Reader-page.txt

2022-12-29 (THURSDAY): GOOGLE AD LEADS TO FAKE ADOBE READER PAGE PUSHING MALWARE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1608567622856998912

GOOGLE AD URL:

- URL: hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjy4sagmJ_8AhVJFdQBHY3OAxEYABADGgJvYQ&ae=2&ohost=www.google[.]com&cid=CAASJuRokbSmQNuTK23Kw7UbgirwiJVLfiVKasNW9fqwpyfMANvnxVw2&sig=AOD64_2C1NIk9OeXrYlcz91FT042ICksIQ&q&adurl&ved=2ahUKEwi_xrqgmJ_8AhXOlmoFHaFDApUQ0Qx6BAgHEAE&nis=8&dct=1
- Response: HTTP/1.1 302 Found
- Location: hxxps://bdppay[.]com?gclid=EAIaIQobChMI8uLGoJif_AIVSRXUAR2NzgMREAAYASAAEgLOo_D_BwE

TRAFFIC REDIRECTION URL:

- 91.217.9[.]70 port 443
- URL: hxxps://bdppay[.]com/?gclid=EAIaIQobChMI8uLGoJif_AIVSRXUAR2NzgMREAAYASAAEgLOo_D_BwE
- Response: HTTP/1.1 302 Found
- Location: Location: hxxps://adobereaders[.]co

FAKE ADOBE READER SITE:

- 198.54.114[.]160 port 443 - hxxps://adobereaders[.]co/

MALWARE DOWNLOAD URL FROM FAKE ADOBE READER SITE:

- 198.54.114[.]160 port 443 - hxxps://bravebrowsers[.]cc/setup_4.21.exe

DOWNLOADED MALWARE:

- SHA256 hash: 37082f0b757d6c249b870c29872a9bf8e38e344150735d9b6d2a64364b18b226
- File size: 288,256 bytes
- File name: setup_4.21.exe
- File description: Windows executable file for infostealer and possible backdoor malware

POST-INFECTION TRAFFIC:

- DNS query for system-checki[.]com - response: No such name
- port 443 - keyauth[.]win - HTTPS trafic, Legitimate site
- 78.47.195[.]75 port 4449 - TLS v1.0 traffic
- 78.47.195[.]75 port 4448 - TCP traffic with host data and screenshot of victim's desktop

CERTIFICATE ISSUER DATA FROM SERVER AT 78.47.195[.]75:

- id-at-commonName=PEGASUS SERVER
- id-at-organizationalUnitNmae=PEGASUS
- id-at-organizationName=PEGASUS By SKYNET
- id-at-localityName=SH
- id-at-countryName=CN

CERTIFICATE SUBJECT DATA FROM SERVER AT 78.47.195[.]75:

- id-at-commonName=PEGASUS