Fake Flash Player Alerts From Legitimate Websites

caution malware

Regardless of how up to date our computers are, How good our Antivirus protection is, we all are at risk from malicious adverts on webpages. Now I accept adverts are part of the web today. I personally don’t use or recommend ad blockers because many websites ( including this one) rely on enough income from the adverts to pay hosting costs. There will always be an element of maliciousness by some unscrupulous advertisers or where the advert chain has been compromised by bad actors. Luckily my settings & antivirus has protected me.

I was reading a page on my local newspaper site (http://www.guardian-series.co.uk/news/15317736.Troubled_Luxe_Bar_ordered_to_shut_and_reopen_as_Gastro_Pub/?ref=mr&lp=1) a few minutes ago when I got a divert and a big red warning from my Antivirus ESET

It must have been one of the adverts on the page, but I cannot find out which one, because they change each visit

Anyway the page I was diverted to ( a fake flash player update page) is https://izaiye-interactive.net/6141452444727/01296f4851adb85de3a1ad2335c429c8/52ebc0f94a7674f6db533556c202e52f.html (currently giving a 404, so obviously needs the referral from the malicious advert or the webpage to display and stays under the radar otherwise) They are using a ssl prefix HTTPS but there is no padlock in the url to confirm this.

A HTA file is automatically downloaded ( or attempted to be) ( VirusTotal) ( Payload Security ) if allowed to run unfettered this hta file would download and autorun https://izaiye-interactive.net/6141452444727/1496218715917605/FlashPlayer.jse ( VirusTotal) ( Payload Security) I am not sure what this encrypted /encoded javascript file does because payload security has trouble running it properly with invalid memory location messages, but it definitely looks like something nasty from the payload security screenshots and behaviour

Joebox shows a lot more details but still no actual payload. It looks like it should download a MP4 and a flv file that would be converted by the script to a working malware binary. Joebox also shows invalid character messages on running the files. ( this might be an anti- sandbox / anti analysis measure by the bad actors or it might genuinely be bad coding by the bad actors distributing this malware.

I experienced a similar attack recently documented https://myonlinesecurity.co.uk/fake-flashplayer-update-via-exploit-using-adverts-on-legit-site/

izaiye-interactive.net was registered yesterday on 30 May 2021 using what are obviously fake registrants details via PUBLICDOMAINREGISTRY.COM and hosted on 206.221.189.43 reliablesite.net

Total
30
Shares
Leave a Reply

Your email address will not be published.

Related Posts