1 How the malicious code works2 Microsoft: Customers should be cautious3 A spin-off of Locky ransomware?
A Reddit user has now revealed in a thread that a malicious ad appeared while he was on Skype’s home screen. The ad pretended to be a Flash update for the computer’s browser and would prompt the user to download an HTML application named “FlashPlayer.hta.” It appears that once opened, that HTML app would download a malicious payload, which could potentially harm a computer in the long run. The Redditor didn’t run the application, instead, he has already deconstructed the code and has posted it publicly on Reddit. Other users have complained about malicious ads inside Skype, with the “fake Flash update” as a common denominator. https://twitter.com/ElectriicDev/status/847474592109125632
— caseyfoster (@caseyfosterTV) March 30, 2017
How the malicious code works
In response to the Reddit thread, ZDNet has contacted several experts to deconstruct the code and explain how it works. According to malware experts, the malicious ads have the following characteristics:
They target Windows machines by pushing a file download When users open the file, they trigger obfuscated JavaScript The code starts a new command line, then deletes the app the user just opened It then runs a PowerShell command, which downloads JavaScript Encoded Script (JSE) from a domain that no longer exists
In addition, ZDNet has contacted Ali-Reza Anghaie, co-founder of cybersecurity firm Phobos Group, to comment on the matter. Anghaie has said that “This is what’s generally called a ‘two stage dropper’. It’s effectively the utility component of the malware that then decides what else to do based on the command and control it connects to.”
Microsoft: Customers should be cautious
Responding to the issue, a Microsoft spokesperson has said that the Redmond giant should not be held responsible. The company’s spokesperson has explained that “[Microsoft is] aware of a social engineering technique that could be used to direct some customers to a malicious website. [Microsoft continues] to encourage customers to exercise caution when opening unsolicited attachments and links from both known and unknown sources and install and regularly update antivirus software.”
A spin-off of Locky ransomware?
According to the Reddit thread and to the several experts that ZDNet has contacted, this “fake Flash update” could be a spin-off of a recent Locky ransomware campaign. The Locky ransomware malware uses a JavaScript file in order to download ransomware to computers. The Locky ransomware also hit Facebook and other social media, in November 2016. The security firm called Check Point uncovered this new method of distributing malware code through image files.
