Sign in
Follow

ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious

 

 IP AddressPortHostname
Source (local) 62200  
Destination 216.139.221.14  (United States) html (80) wspanalytics.com

 

url http://wspanalytics.com/boost-for-excel/wp-content/release/boost/boost-installer.exe
Host wspanalytics.com
Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection keep-alive
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept-Encoding gzip, deflate, sdch
Accept-Language en-US,en;q=0.8
req_or_response GET /boost-for-excel/wp-content/release/boost/boost-installer.exe HTTP/1.1
Upgrade-Insecure-Requests 1

 

Description:

  • A request to download a .exe file has occurred to a wordpress site.
  • Wordpress sites are frequently targeted by malware creators for distribution purposes. Why?:
    • These websites often have the virtue of being tied to known good (not blacklisted) infrastructure.
    • They are easy to set up insecurely and often subject to abandonment (user sets up their server and doesn't patch).
    • Throw away non-attributable infrastructure for hosting malware binaries.

 

False Positive:

  • YES
  • wspanalytics is a known good WordPress site.
  • They are legitimately distributing cleartext .exes via their site.
  • wprecon.com finds no security violations.

 

Action:

  • None

 

Comments

Powered by Zendesk