Skip to main content


Showing posts with the label 524.dat

524.dat & chrome_patch.hta [UPDATED]

    A few minutes ago I clicked a link to an article and I noticed something fishy. The new site attempted to automatically redirect my browser to this:     This piece of garbage phishing page didn't even wait for me to be suckered by their super-convincing download link, and used a setTimeout() call to try to force my browser to download something called `9901224839027/1469890408944162/chrome_patch.hta`.      Here is chrome_patch.hta as it is seen in the wild:     And here is chrome_patch.hta after we apply deobfuscation 101:     As you can see, chrome_patch.hta downloads a .dat fie `17/524.dat` and creates an executable `g2924808f66985de3a9ad1e3d743e0d.exe` before providing victims with a reassuring "Update completed" window.     I've been seeing similar versions of this same method to force users to swallow the 524.dat payload, like this:     I've found some complaints as far back as a month ago. I'm going to try to get my hands