Neutrino Delivers Fake Flash Malware Hosted on SkyDrive

Neutrino Delivers Fake Flash Malware Hosted on SkyDrive

As cloud computing becomes more popular, malware authors are also taking interest in using this technology to store their own files—except, of course, their files are usually bad.

SkyDrive (recently renamed to OneDrive) is Microsoft’s cloud storage solution, and competes directly with other big-name storage products like Google Drive and Dropbox, all of which provide a convenient solution to accessing your files from virtually any location with internet access.

Recently, I found a downloader collected from our honeypot that appears as a fake Flash Player installer. These type of programs usually deliver malware and are very successful at making people believe they’re installing or updating the real Flash Player.

This particular downloader file currently is detected by 9/50 vendors on Virustotal. Malwarebytes Anti-Malware detects it as Trojan.Agent.AI.

The downloader binary was a payload from the Neutrino Exploit Kit and delivered via a Java exploit. The following URLs are involved:

http://telahzae.kranted.com:8000/hyngtxtu?fyqkxhhmvx=6621548 http://telahzae.kranted.com:8000/kkynrjtkyr.js http://telahzae.kranted.com:8000/bxdlynvfooebbb http://telahzae.kranted.com:8000/txsbjk http://telahzae.kranted.com:8000/dyjumuf?iiqiqdlduj=nmnpvqjhi http://telahzae.kranted.com:8000/zmezvehuhuwppm?inwpzqvsyla=nmnpvqjhi

The first request is for a script, one that is nearly identical to that seen in a blog earlier this month by fellow researcher Jerome Segura. The delivery method is the same as described in that blog, so it won’t be discussed again here.

decrypted_Landing

When the file runs, it beacons out to the SkyDrive URL and presents a dialog that states it’s installing Flash Player, and then says “Installation Finished!” if everything goes well.

flash_install_finished

Here is the beacon the downloader makes to SkyDrive:

skydrive_GET

The first request sets up a secure connection over SSL and then redirects to the download location as seen in the capture below.

skydrive_dl

The file retrieved is called “flashplayer2.exe”. This file is executed and the downloader is deleted.

flashplayer2name

I visited the download server multiple times and managed to get different samples, each with their own icon (including a creepy skull). Meaning the samples stored on the SkyDrive folder are constantly being updated.

flashplayer_samples

All of these samples are AutoIt standalone executables with UPX compression. AutoIt is a scripting language, with scripts capable of being converted to EXEs much like perl or python.

autoit_flash

To be fair to Microsoft, this isn’t the only instance where cloud storage was used for bad things.

Last November, we reported on a malicious script that was hosted on Google Drive, and similar things have happened with Dropbox. Regardless, it appears more security measures need to be into place to prevent various malicious files and programs from being uploaded to cloud storage services.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. @joshcannell

ABOUT THE AUTHOR

Joshua Cannell

Malware Intelligence Analyst

Gathers threat intelligence and reverse engineers malware like a boss.