A few days ago Skype users noticed that the instant messaging service served a malicious malware masquerading as fake Flash player update. Several users reported this incident on Twitter and Reddit and explained that they noticed an ad which was prompting them to download a malicious file disguised as “Flash player.”
Wow not bad, got this in @Skype today, even had the download popup! pic.twitter.com/wyQXavBINm
— caseyfoster (@caseyfosterTV) March 30, 2017
On close inspection of the file, Bleeping Computers discovered that the content of the file was nothing more than a handful of malicious javascript code. The so-called “flash player update” was an HTA file (HTML application file) and was designed to execute a PowerShell script to download a payload. The payload could be a JSE (encrypted JavaScript), but because the domain on which the scam was being hosted was down, a copy of the final payload could not be retrieved. The file was probably going to install a Trojan or ransomware on victims devices.
The domains were spreading the malicious “flash player” virus are oyomakaomojiyaorg and cievubeatapornnet, and according to bleeping computers, both are registered with Cock.li email accounts. They further added that the email accounts were used to register plenty of other shady domains were also registered using the same email accounts and obviously with malicious intent.
The IP addresses that are hosting the sites were previously under the radar for similar kind of shady domains, and with some more digging, Bleeping Computers discovered another email account was also being used for the same purpose.
This only concludes one thing: the domains were registered specifically for malvertising and that a group of skilled crooks is behind this massive operation.
One important thing worth mentioning here is that the user who identified the “Fake flash player” had contacted Skype support to inform them about the incident, and the Skype support refused to take the responsibility for this matter. Also, this is not the first time this kind of thing has happened. Malvertising has been increasing rapidly. In 2016 alone, malvertising saw an increase of 132%, and it is expected that the rate will go only upwards if proper measures are not taken very soon.
Image Source: Norebbo/Scott
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.
