Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:


Figure 1. Fake Adobe Flash update page

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within the page—besides the link to the malware itself—resolve back to the root directory of the site, resulting in a 404 error.

The attacker’s main goal is to make sure that a successful installation occurs, and presents two options to the user for maximum return.

Option 1 is a pop-up message that requests the user to download a file named flash_player_updater.exe.

Option 2 is the “Download Now” button that requests the user to download a file named update_flash_player.exe.

Symantec currently detects both of these files as Downloader.Ponik.

During our analysis we found that, in addition to stealing passwords, these files appear to be looking for FTP/telnet/SSH credentials for all of the popular clients currently in use. They also monitor for SMTP, IMAP, and POP3 credentials.

Although these files are the same, they exhibit different behaviors. Option 1 installs ransomware, while Option 2 installs an ad-clicking component, both for illegal revenue generation.

Option 1

Figure 2. Command-and-control (C&C) server

The flash_player_updater.exe file opens a /POST request on port 8080 to the following URL:


The Trojan then receives commands to download files from the following locations:

  • http://ocean[REMOVED]ba.co.za/
  • http://sys[REMOVED]55.info/
  • http://topaz[REMOVED]al.net/

All three files are identical and are used by the attacker to enhance the resilience of the threat by providing further locations for the threat to contact should any one particular site be inaccessible for any reason. Symantec detects these files as Trojan.Ransomlock.Q.

Once these files are executed on the computer, a new variant of Trojan.Ransomlock.Q appears on the compromised computer.

Next, the Trojan connects to the following command-and-control (C&C) server in order to download an encrypted file onto the compromised computer before the computer is locked:


Figure 3. Downloading an encrypted file

Figure 4. Ransomlock screen displayed after several minutes

Figure 5. Note the misspelling of “cibercrime” at the bottom of the page

Another interesting observation is that the malware will detect what brand of antivirus is running on the compromised computer, and will overlay the default Windows logo with the logo of relevant anti virus company. As we already have protection in place for this threat, to test this feature properly we had to temporarily disable Norton 360 during analysis.

Figure 6. Ransomware with the Norton logo overlaying the Windows logo

Out of curiosity, we wanted to see what would happen if we were to enter some random 14-digit code, as MoneyPak uses 14 digits. A random 14-digit code was entered and the following screen was displayed:

Figure 7. A promise to unlock the computer that will be unfulfilled

This communication data is then sent back encrypted to the C&C server at the following location and stored for retrieval:


Good luck getting your computer unlocked.

Option 2

The update_flash_player.exe file opens a /POST request on port 8080 to the following URL:


The Trojan then receives commands to download files from the following locations:

  • twinp[REMOVED] ng.com/
  • labos[REMOVED]ra.eu/
  • ftp.calm[REMOVED]ge.com/

These files are then installed on the compromised computer and run silently in the background to perform click fraud.

Figure 8. Click-fraud traffic

Symantec has protection in place and detects these files as Trojan Horse.

To ensure that you do not become a victim in the first place, please ensure that your antivirus definitions are constantly updated and that your software packages are also regularly updated. Do not download updates from third-party sites and always double check the URL of the download that is being offered.

Bizarre old-school spyware attacks governments, sports Mark of the Beast

One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

Read 11 remaining paragraphs | Comments

ARPwner – ARP & DNS Poisoning Attack Tool

ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs. This tool was released by [...] The post ARPwner – ARP & DNS...

Read the full post at darknet.org.uk

As Russians Ready for Fatherland Day, Spammers Take Advantage

Major events and holidays have always been a time for celebrations. Unfortunately, it also attracts unscrupulous spammers searching to make a quick offer. Symantec observes that spam email usually spikes in conjunction with these holidays.

One such occasion is Defender of the Fatherland Day observed on February 23, which is a Russian holiday in countries of the former Soviet Union, such as Belarus and Tajikistan. Aside from parades and processions in honor of veterans, it is also customary for women to give small presents to men in their lives, such as fathers, husbands, and co-workers. Consequently, the holiday is often referred to as Men's Day.

As such, most spam emails revolve around souvenirs, small gifts, and even men’s medicine such as Viagra. Below is an example of some of these emails:

Subject: Волшебные подарки на 23 февраля
Translation: Magical gifts for February 23

Symantec observes that Valentine’s Day, Defender of the Fatherland Day, and International Women’s Day (March 8) share similar characteristics of sharing appreciation between sexes, thus are subjected to the same types of abuse from spammers sending out bogus offers and promotions.

Symantec advises our users to be cautious with unsolicited or unexpected emails, and to not purchase gifts and products from these offers. Many spammers will sell financial and personal data gathered from such sales to other spammers or hackers, resulting in malware, and phishing and spam attacks from third party sources. Users should keep their security software up to date in order to be protected from such risks.