Flash Pack Exploit Leads to New Family of Malware

We have been continuously monitoring the FlashPack exploit, especially with the recent attack which affected Japanese users. We recently looked at our Smart Protection Network feedback and found in a new development that majority of the infected systems of FlashPack exploit came from the U.S.


Figure 1. Top infected countries for the FlashPack exploit (based on feedback from September 24-October 22)

URL Usage and Malware Payload

We checked the details of the URLs used by the FlashPack exploit and found that the exploit uses three combinations. We broke down the combinations in the table below.


Figure 2.  Format of the URLs used by the FlashPack exploit

Based on our analysis, one significant detail is that majority of the sites are employing bulletproof hosting, though some of the said sites have been taken down already. Furthermore, the domain registrations of the discovered sites are new and have been registered only between September and October 2014.

Given these facts, having a very strong web filter that enforces an existing IT policy of only allowing access to known sites would be ideal as it effectively filters out unknown sites.  At the onset of infection, the URLs used in this attack may not be rated immediately as these are newly created websites and as such may not have been classified or visited yet by a web filter vendor.

In one of the URLs that was used as a distribution point, the initial file upon its discovery (sha1: 909dc6764355625cb9a98ae45f986439cf3142a6) had little behavioral characteristics as it just launches calc.exe and is generally benign.


Figure 3. Behavioral characteristics of the initial benign file (sha1: 909dc6764355625cb9a98ae45f986439cf3142a6), seen through sandbox execution in Deep Discovery Analyzer

The files downloaded from the distribution sites are named this way:   e54 + [0-9,a-f]{10} + [0-9]{10}  + .exe.  Here are other examples:

(and so on …)

Note that the file name seems to be generated by the affected sites. However, after monitoring these sites for a few days, we see that the payload changes and we were lucky enough to observe several files that distributed through web sites. One such sample (sha1: 987d17220ee8936d2dfb58b35a6adc17f7141d50) is detected by Trend Micro as TROJ_DOFOIL.WYTU. This malware has characteristics like sandbox checking for its evasion tactic, and process injection:


Figure 4. Behavioral characteristics of TROJ_DOFOIL.WYTU, seen through sandbox execution in Deep Discovery Analyzer

Aside from the behaviors mentioned above, we also did code analysis for TROJ_DOFOIL.WYTU and found the following details:

1. This malware does not perform the intended routines if the following are seen:


Figure 5. Screenshot of listed software

These refer to actual software:

  • v  sbiedll – Sandboxie, a sandbox security software for Windows
  • v  dbghelp – Debug Help Library, commonly used to for debugging when working with portable executable (PE) file format
  • v  qemu – a generic and open source machine emulator and virtualizer
  • v  virtual – commonly used to refer to VirtualBox
  • v  VMware – like VMware Workstation and other similar software from VMware
  • v  Xen – from the Xen Project, an opensource hypervisor

2. It creates a mutex, which is a hashed computer name +  volume SN

3. It drops/creates the following files:

  • %Appdata%\{random1}{random2}.exe
  • StartMenu\Programs\Startup\{random1}.lnk

Where {random1} and {random2} are generated from hashed computer name

4. Once active, it connects to the following URLs:

  • hxxp://kilopinkad[.]com/bimforum
  • hxxp://bulbushkinho[.]org/bimforum

It also sends the following via HTTP request:

&cmd={getload or grab or getproxy}
&login={computer name hashed}{volume SN}
&sel={malware version} –> ffbot
&ver={malware version} –> 5.1


Figure 6. HTTP request parameters of TROJ_DOFOIL.WYTU

After a few days, the site changed back to the original benign file (SHA1: 909dc6764355625cb9a98ae45f986439cf3142a6). Note that all file hashes with their detections are mentioned at the bottom of this article.

As seen above, the exploit kit has the capability to load other malicious software that can be a launch pad of secondary attacks. The initial file that was used (which launched only calc.exe) can be viewed as a preliminary attempt during the first few days of this exploit kit’s discovery.


The risk of an exploit kit is that it is designed to serve as a ‘door’ opener of any malicious file: cybercriminals can change the malware payload to any that they wanted.

We have already seen further evolution of this particular threat. Through the use of  the Trend Micro Smart Protection Network, we are able to examine files, some of which have new reference data that currently refers to an active malware. One example of is TSPY_ZEMOT.


Figure 7. TSPY_ZMOT malware file

ZEMOT is a malware family of Trojan downloaders frequently used by other malware, often to stage additional malware payload (secondary infections). It is known to be distributed via exploit kits. Based on our data (starting from October 13), the North American region is the most affected region by TSPY_ZEMOT.


Figure 8. TSPY_ZMOT distribution according to region

Trend Micro is closely monitoring this threat for any new developments. Our Smart Protection Network protects users from all threats associated with the FlashPack exploit kit.

The following are the related hashes for this attack:

  • 987d17220ee8936d2dfb58b35a6adc17f7141d50 (TROJ_DOFOIL.WYTU)
  • 6b944b5a06e1dee2bd64d2a35d5c14b304a5eb35 (TROJ_DOFOIL.WYTU)
  • 41ff7407630e575d2b7544f79e8da3378d367470 (TROJ_DOFOIL.WYTU)
  • 2df93253f1aa7ab6e99660629ff58efeae9acbc3 (TROJ_DOFOIL.WYTU)
  • 12de009d00b5e543c9d0b6542f1b03516b076478  (TSPY_ZEMOT.SMN0)
  • 2e65dea705983a8ae2e9b4eecd42816bf4ef7a3a (TSPY_ZEMOT.SMN0)
  • 8792dc1f6351e103eac4662ad927b00b663ff08f (TROJ_FORUCON.BMC)

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Flash Pack Exploit Leads to New Family of Malware

Read more: Flash Pack Exploit Leads to New Family of Malware

Story added 29. October 2014, content source with full text you can find at link above.