This is the picture after visualizing data gathered from one malicious node <18.104.22.168>. Hundred of active domain names shares this IP address as denoted by green line. The red lines inside the body of “Bloated Fish” denotes as malicious links. These red lines is connected to the fish pink and red lips noted as “http://self-relax-massage.com/relax/in.cgi?” As of the moment, the malicious server leads to its payload – “http://great2008x.com/great/pdf.php?id”. This generates an exploited PDF that installs EXE targetting users who’s default browser opens Adobe Reader automatically.
As observed and several times mentioned, these malicious PDFs are quietly increasing in numbers however recently there has been a significant increase due to implementation of PHP PDF – apparently, a server side polymorphism which means that generated PDF changes everytime. This makes difficult for most security scanners that relies on specific file detection.
Notice the fish tail, there is few red lines leading to “MacAccess” trojan. As of writing, they all point to “http://opera-power.com/download/7946645975673d6cc63775/flashcodec.dmg”. As usual, it disguises as a fake codec. Here’s an example below…
“These bloated fish calls cloud as their home.”