Malware News Locky Ransomware being Distributed through Fake Flash Player Update Sites

D

Dirk41

Level 17
Thread author
Verified
Top Poster
Mar 17, 2016
797
Fake Flash Player update sites have long been a favorite distribution method for adware and other unwanted programs. Today, a fake Flash update site was discovered by ExecuteMalware that is pushing the Locky ransomware. When someone visits the site they will be presented with a page that states that Flash Player is out of date and then automatically downloads an executable. If you look carefully at the URL in the browser's address you can see that the domain of fleshupdate.com does not seem to be spelled right.

fake-flash-player-update.png

Fake Flash Update Web Page
The executable automatically downloaded by this site is named FlashPlayer.exe and includes a flash player icon as seen below.

program-icon.png

Flash Icon in Downloaded File
If you look at the properties of this file, though, things start to look strange.

download-properties.png

Locky Installer Properties
Ultimately, if a user runs this program thinking that Flash will be updated they will be in for a big surprise. Instead of a flash player update, they will ultimately be shown a Locky ransom note when the ransomware has finished encrypting the victim's files.

locky-ransom-note.png

Locky Ransom Note
The LockyDump information for the variant I tested is below. MalwareHunterTeam also saw a sample using an affiliate ID of 19, which as far as we know has not been previously seen.

Verbose: 0
The file is a PE EXE
affilID: 13
Seed: 9841
Delay: 30
Persist Svchost: 0
Persist Registry: 0
Ignore Russian Machines: 1
CallbackPath: /message.php
C2Servers: 85.143.212.23,185.82.217.29,107.181.174.34
RsaKeyID: 85D
RsaKeySizeBytes: 114
Key Alg: A400
Key: RSA1
Key Bits: 2048
Key Exponent: 10001
As you can see, it is not only attachments and exploit kits pushing ransomware. Everyone needs to be vigilant and careful when browsing the web. Furthermore, program updates should only be downloaded from their main product sites rather than 3rd party sites where you have no idea what you are installing.

Stay Frosty!
 
  • Like
Reactions: Der.Reisende, aragornnnn, RoboMan and 13 others
D

Deleted member 2913

I have seen this "Your Flash Player is not up to date, update it".
Adblockers (default) do good job But the mentioned one is always missed by adblockers.
If I remember correctly Adguard Desktop blocked once here & that was Adguard WOT that blocked it.
 
  • Like
Reactions: DardiM, Der.Reisende, aragornnnn and 6 others
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,485
Somebody should really code a basic software with the official download link for most common/used programs. I mean, a software that will list you the free/trial software people most use (Adobe Flash, Silverlight, Browsers, Antivirus, etc) and when clicking one, redirecting to their official download site. Would work for most people, since they know basically nothing about secure connections or potentially unwanted programs/malware.
 
  • Like
Reactions: DardiM, Der.Reisende, aragornnnn and 2 others
Fritz

Fritz

Level 11
Verified
Top Poster
Well-known
Sep 28, 2015
543
Overlord said:
Constantly amazes me gullibility of people.
Click to expand...

This. You know, I'm really not a mean-spirited individual in general, but I'm tempted to say that infections like these are well-deserved.

If you use a program called "Flash Player" and think "fleshupdate.com" sounds perfectly fine for a download, feel like you have to follow the link in that Mail from "Amazon" regarding your order – even though you never ordered anything recently to begin with and hovering over the link with your mouse pointer for mere seconds would reveal it leads you to "letmegrabyourmoney.ng" – or think you really have to open that attachment from your African prince in order to claim your millions, then chances are you can't even tie your own shoes in the morning and shouldn't have access to anything electronic in the first place because you're a danger to yourself and others.
 
  • Like
Reactions: DardiM, frogboy, tim one and 4 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Malware News Over 6,000 WordPress hacked to install plugins pushing infostealers
Replies
1
Views
1,171
Security News
Victor M
Victor M
vtqhtr413
    • Like
    • Wow
    • +Reputation
New ransomware fakes Windows Update to trick home users
Replies
5
Views
1,900
News Archive
upnorth
upnorth
Andy Ful
    • Like
    • Hundred Points
    • Applause
Serious Discussion Malware Loaders.
Replies
1
Views
492
General Security Discussions
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top