Halloween RAT: NanoCore Served Via PageFair Service

Over the weekend, PageFair, a counter ad-block solutions provider, was compromised via a spearphishing attack. The attackers performed a password reset which gave them access to PageFair’s account on a Content Distribution Network (CDN) service. The attackers then replaced PageFair’s Javascript to a malicious one:

Malicious Javascript: ads.min.js

This is what was shown to visitors of websites that used this PageFair service:

Fake Flash Player Warning

Fake Flash Player Warning

To give you a feel of how popular PageFair is, at least in terms of our user base, we pulled out hit statistics and found that it is ranked at 293 for the past 14 days. That’s higher than flickr.com (295), spotify.com (399), steampowered.com (406) and paypal.com (413). So this domain is quite a celebrity, which explained the spike that we saw during the breach.

Telemetry

Telemetry

During that time, we saw the malicious adobe_flashplayer_7.exe (6ad0393f506bc6e0a84f1325b3d75cca019c21bc) downloaded from these locations:

  • 75.126.160.35
  • 192.155.192.104
  • 184.173.28.170
  • 184.173.28.174
  • 184.173.28.175
  • 184.173.28.176
  • 168.1.88.118

The malware served from these links is a RAT called NanoCore. NanoCore provides plugins such as those related to Network, Security products and Surveillance.

NanoCore Plugins

The C&C of the particular malware sample related to the PageFair compromise was alotpro2.dynu.com (45.35.34.148).

Network Events

Network Events

Users that had our product enabled were protected against this threat at the time of the compromise through the detection Trojan:W32/Golroted.6ad0393f50!Online.

For more information about the PageFair breach and the status, you may read more about it from this link.



Articles with similar Tags