Malware Traffic Internals: BlackTDS Social Engineering Drive-By Leads to Fake "Adobe Flash Player"

MalBot · April 2, 2018, 6:00am

Goal: Review and document latest BlackTDS traffic distribution leading to fake Adobe Flash Player and its social engineering theme.

Background

4-2-2018: Drive-by: #BlackTDS social engineering theme
“Adobe Flash Player is out of date”
(24newsoft.theonlygoodplacecontentsafeup[.download)
-> Leads to fake Adobe Flash Player #adware
Watch out for unofficial Adobe Flash installs #Malware: https://t.co/4P7XD8PE27 pic.twitter.com/pZWkaBFsSG
— Vitali Kremez (@VK_Intel) April 2, 2018

Traffic chain

I. BlackTDS domain redirect hxxp://celsiumoftesla[.]cf:

II. Popunder domain redirect using hidden /register with hidden visibility.
hxxp://popcash[.]net/world/go/162193/360683

III. Popunder redirect

hxxp://www[.]thegreatfreesystemosforcontenting[.]date/?pcl=<VAL>&subid=<VAL>
IV. Fake “Adobe Flash Player” adware redirect:

Domain: hxxp://24newsoft[.]theonlygoodplacecontentsafeup[.]download/?pcl=&subid=&v_id=

V. Fake “Adobe Flash Player” adware download:
Domain: hxxp://www.bestrepositorytours[.]com/<REDACTED>

Addendum: Indicators of Compromise (IOCs):

Domain:

Domain: hxxp://celsiumoftesla[.]cf/

Popunder:

Domain: hxxp://popcash[.]net/world/go/162193/360683

Popunder redirect:

Domain: hxxp://www[.]thegreatfreesystemosforcontenting[.]date/?pcl=<VAL>&subid=<VAL>

Fake Adobe Flash Player Adware Redirect:

Domain: hxxp://24newsoft[.]theonlygoodplacecontentsafeup[.]download/?pcl=&subid=&v_id=

Fake Adobe Flash Player Adware Download:

Domain: hxxp://www.bestrepositorytours[.]com/<REDACTED>

Fake Adobe Flash Player Adware:

MD5: 69708785506cf581ea5f81725bdb849b

Article Link: http://www.vkremez.com/2018/04/malware-traffic-internals-blacktds.html