Skip to main content

524.dat & chrome_patch.hta [UPDATED]

    A few minutes ago I clicked a link to an article and I noticed something fishy. The new site attempted to automatically redirect my browser to this:

    This piece of garbage phishing page didn't even wait for me to be suckered by their super-convincing download link, and used a setTimeout() call to try to force my browser to download something called `9901224839027/1469890408944162/chrome_patch.hta`. 
    Here is chrome_patch.hta as it is seen in the wild:

    And here is chrome_patch.hta after we apply deobfuscation 101:

    As you can see, chrome_patch.hta downloads a .dat fie `17/524.dat` and creates an executable `g2924808f66985de3a9ad1e3d743e0d.exe` before providing victims with a reassuring "Update completed" window.
    I've been seeing similar versions of this same method to force users to swallow the 524.dat payload, like this:
    I've found some complaints as far back as a month ago. I'm going to try to get my hands on these and look a bit closer as time permits and post the results here. I can't promise it will be all that interesting though as this script was pretty artless & obvious. If anyone's already seen the payload please share! Thanks.

UPDATE: It looks like someone uploaded the payload to malwr last week. Their PE scanner is about as good as it gets for automated scanning. Just looking through malwr's list of registry keys it looks like the payload adds ~5 domains to Windows' URL Security Zones or as I prefer to call it the Circle of Trust:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option gets modified also, which is weird. This is the registry key that determines whether the next reboot will put Windows into Safe Mode or not. This could be an attempt to disable antivirus software and is a loud flashing sign that this payload is going to be a loud, obnoxious dick.

I also found a third version of chrome_patch.hta that is significantly different than the one I have and the other version I posted above; I think whoever is responsible for this is making some changes on the fly, or a few different people are tweaking it. The tweaks don't include changing the filenames (although some components have been removed in my version), and I've only seen it use two different domains to download from. Small potatoes.

ANOTHER UPDATE: I think I scared our hacker friend a bit. The domain name registration for the website used to host the phishing script & payload file has disappeared. Those files appear to have been removed from the server also, or at least taken offline or moved somewhere I cant find them. This is a pretty fast reaction from our hacker friend (< 24 hours from my post / reporting the issue to involved parties). It supports the idea I had earlier that hacker friend is actively developing this little project. If you're listening, hacker friend: why did you take your toys and go home?


Popular posts from this blog

Fixing Event ID 10154 - The WinRM service failed to create the following SPN

The Problem The configuration of the system when this error was encountered is as follows: A. Windows Server 2008 R2 Redundant Domain Controllers - we will call these and B. Windows Server 2003 Web Server with Windows Remote Management enabled / part of the Active directory deployment - we will call this C. For the sake of our example, let's say I have configured an OU named "Web Servers" on those domain controllers Whenever the Windows 2003 Web server reboots, or WinRM.exe service on the Windows 2003 Web server restarts, the following error was logged into the Event Viewer: Event ID: 10154 Source: Microsoft-Windows-WinRM Version: 6.1 Symbolic Name: LOG_WSMAN_SPN_CREATION Message: The WinRM service failed to create the following SPN: %1. Additional Data The error received was 8344: Insufficient access rights to perform the operation. User Action The SPN can be created by an administrator using sets

Email server using amavisd-new fails with (!)DENIED ACCESS from IP, policy bank ''

I have used ClamAV and Spamassassin for many years. I've had a less experience with Amavis (now amavisd-new), but I've decided to give it a try with a new mail server deployment I've been working on. As a reference for my install, I relied on the documentation provided by Amavis for integration with Postfix  as well as a somewhat-outdated but still-relevant walkthrough published by CentOS . Prior to integration with amavisd, Postfix worked fine. Similarly, I had no issues with Spamassassin on its own. But once I finished my install of amavisd-new, things quickly went wrong. Attempting to send messages to accounts hosted on my email server resulted in the following chaing of errors in my maillog: Jan 13 18:17:34 hostname amavis[31578]: Net::Server: 2016/01/13-18:17:34 CONNECT TCP Peer: "[]:40209" Local: "[]:10024" Jan 13 18:17:34 hostname amavis[31578]: loaded base policy bank Jan 13 18:17:34 hostname amavis[31578]: lookup_ip_

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak publication bega