Fake Flash Update Targeting Sports Fans

Fake Flash Update Targeting Sports Fans


Last week we issued a warning to viewers of alternative live streaming websites for the 2019 FIFA Women’s World Cup games.  The URL that we published has now disappeared.  We also learned that on Tuesday, June 25th French police arrested 5 French nationals in Rennes for running approximately 20 illegal sports streaming websites linked to a platform called: beinsport-streaming.com. In the past 6 months this platform has reportedly been visited by approximately 500,000 visitors per month.  The investigation was prompted by a lawsuit filed last year after beIN Sports, Canal Plus, and Altice France filed a complaint. 

We do know whether the website we reported on in our June 26th article was related to those arrests.  Nonetheless, the site is now down. We have, however, conducted additional investigation into one of their vectors of attack, as described, below.

Fake Flash Updater / Installer Infection Vector

It appears that one of the malware infection vectors of this threat group is a fake Flash updater/installer targeting macOS devices.  We have analyzed the malware and have found that it has been active since December 14, 2018. Two new malware payloads were added in May and June, 2019 as shown on the Graph diagram below.

In the above figure we have given the Hybrid-Analysis hashes with timestamps adjacent to the cluster of malware used as part of this attack.

Sports fans are likely to want the richest online experience and will, in the heat of the moment, respond to a social engineering pop-up flagging the need for a Flash update. Unwittingly they respond and then become infected with the malware.

Our analysis of the modus operandi of this threat actor group is ongoing. Nevertheless, we felt it was important to alert you, the reader, about this threat to sports fans. The Cyber Observables associated with this attack vector are given below.

Watch the game and stay safe!

Cyber Observables

IPs
104.239.223.14
104.27.171.58
161.47.20.33
17.171.98.34
17.248.136.79
17.249.12.138
184.28.21.97
23.219.38.56
23.48.32.83

URLs
a1860.dscd.akamai.net
a1914.g.akamai.net
cdn.macresourcescdn.com
events.ponystudent.win
http://cdn.macresourcescdn.com/download/mac/installerresources/eula_maccleaner.txt
http://cdn.macresourcescdn.com/download/mac/installerresources/header03.jpg
http://cdn.macresourcescdn.com/download/mac/installerresources/logo.png
http://events.ponystudent.win/?click_id=54022878772691812&event=generatescreen-0
http://oiiml.imageloyal.pw/sdl/mmstub.tar.gz?ts=1562082516,
http://service.macinstallerinfo.com/mac/getinstallerspecs/
http://service.macinstallerinfo.com/tracking/cm_mac.php?clickid=54022878772691812&funnel=generatescreen-0&c3=8b72321871a7708ba33bb55f342f6b68,
livestrem.cf
oiiml.imageloyal.pw
radarsubmissions.apple.com.akadns.net
service.macinstallerinfo.com
world-gen.g.aaplimg.com

MD5
8b72321871a7708ba33bb55f342f6b68

SHA256 Hashes
2bc36ca4cd148124744371bbc40bbf4b2074eb732fc16738cdc868a36263f0e7
49cb7520483ae40ecfd7bd3e384747489e3cca49a1391c20d95d782a0438bf21
8aeb3d1dc012dc4da5000a8df8961593c297bd2e81790235a9bc8f55c929d392
c96e841d365d622018c77e95d949e41c99726ee1a212534a360929b8c4452232

You must be logged in to post a comment Login