So.. I saw some mysterious outbound traffic to event.swupdateservice.net/event (138.91.189.124 / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive.
The WHOIS details for the domain are anonymised (never a good sign), and the IP address is also used by event.ezwebservices.net which uses similarly hidden details. Team Cymru have an analysis of what is being phoned home to this mystery server, and I found an existing Malwr analysis referencing the alternate domain.
I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine. Various analysis tools confirm that it generates this traffic [1] [2] [3].
The binary itself does not identify its creator. I found various references (such as in this report) linking this software and the domains to Emaze.com (a "free" presentation tool) and a look at the users traffic logs indicates that they visited this site, referred to it by VisualBee.com which is some sort of https://www.hybrid-analysis.com/sample/f479a3779efb6591c96355a55e910f6a20586f3101cd923128c764810604092f?environmentId=1PowerPoint plugin.
Neither domain identifies itself through the WHOIS details, not can I find any contact details on either site. A look through the historical WHOIS for VisualBee.com gives:
Administrative Contact:
info, info info@visualbee.com
visual software systems LTD.
6 Hanechoshet st.
Tel-Aviv, Israel 69710
Israel
+972.775422537
And for Emaze.com:
Administrative Contact:
Rubenstein, Steven rubenstein.steven@gmail.com
504 224th PL SE
Bothell, Washington 98021
United States
+1.4254862149
This Crunchbase profile for Shai Schwartz links the two companies.
I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend blocking traffic to:
visualbee.com
emaze.com
swupdateservice.net
ezwebservices.net
No comments:
Post a Comment