Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud

Created: 27 Feb 2013 17:07:42 GMT • Updated: 23 Jan 2014 18:09:11 GMT • Translations available: 日本語
Val S's picture
+2 2 Votes
Login to vote

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:

http://16.a[REMOVED]rks.com/adobe/
 

Figure 1. Fake Adobe Flash update page
 

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within the page—besides the link to the malware itself—resolve back to the root directory of the site, resulting in a 404 error.

The attacker’s main goal is to make sure that a successful installation occurs, and presents two options to the user for maximum return.

Option 1 is a pop-up message that requests the user to download a file named flash_player_updater.exe.

Option 2 is the “Download Now” button that requests the user to download a file named update_flash_player.exe.

Symantec currently detects both of these files as Downloader.Ponik.

During our analysis we found that, in addition to stealing passwords, these files appear to be looking for FTP/telnet/SSH credentials for all of the popular clients currently in use. They also monitor for SMTP, IMAP, and POP3 credentials.

Although these files are the same, they exhibit different behaviors. Option 1 installs ransomware, while Option 2 installs an ad-clicking component, both for illegal revenue generation.
 

Option 1
 

Figure 2. Command-and-control (C&C) server
 

The flash_player_updater.exe file opens a /POST request on port 8080 to the following URL:

http://lum[REMOVED]th.com/forum/viewtopic.php

The Trojan then receives commands to download files from the following locations:

  • http://ocean[REMOVED]ba.co.za/
  • http://sys[REMOVED]55.info/
  • http://topaz[REMOVED]al.net/

All three files are identical and are used by the attacker to enhance the resilience of the threat by providing further locations for the threat to contact should any one particular site be inaccessible for any reason. Symantec detects these files as Trojan.Ransomlock.Q.

Once these files are executed on the computer, a new variant of Trojan.Ransomlock.Q appears on the compromised computer.

Next, the Trojan connects to the following command-and-control (C&C) server in order to download an encrypted file onto the compromised computer before the computer is locked:

http://c[REMOVED]l.ru
 

Figure 3. Downloading an encrypted file
 

Figure 4. Ransomlock screen displayed after several minutes
 

Figure 5. Note the misspelling of “cibercrime” at the bottom of the page
 

Another interesting observation is that the malware will detect what brand of antivirus is running on the compromised computer, and will overlay the default Windows logo with the logo of relevant anti virus company. As we already have protection in place for this threat, to test this feature properly we had to temporarily disable Norton 360 during analysis.
 

Figure 6. Ransomware with the Norton logo overlaying the Windows logo
 

Out of curiosity, we wanted to see what would happen if we were to enter some random 14-digit code, as MoneyPak uses 14 digits. A random 14-digit code was entered and the following screen was displayed:
 

Figure 7. A promise to unlock the computer that will be unfulfilled
 

This communication data is then sent back encrypted to the C&C server at the following location and stored for retrieval:

http://c[REMOVED]l.ru

Good luck getting your computer unlocked.
 

Option 2

The update_flash_player.exe file opens a /POST request on port 8080 to the following URL:

http://lum[REMOVED]th.com/forum/viewtopic.php

The Trojan then receives commands to download files from the following locations:

  • twinp[REMOVED] ng.com/
  • labos[REMOVED]ra.eu/
  • ftp.calm[REMOVED]ge.com/

These files are then installed on the compromised computer and run silently in the background to perform click fraud.
 

Figure 8. Click-fraud traffic
 

Symantec has protection in place and detects these files as Trojan Horse.

To ensure that you do not become a victim in the first place, please ensure that your antivirus definitions are constantly updated and that your software packages are also regularly updated. Do not download updates from third-party sites and always double check the URL of the download that is being offered.