Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - Fake Adobe Flash Update OS X Malware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake Adobe Flash Update OS X Malware

Published: 2016-02-04
Last Updated: 2016-02-04 15:19:52 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).

The "Installer" for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.

While I wasn't able to capture the exact trigger for the popup advertising the update, I suspect it was injected by one of the many ads on the page:

flash warning popup.

Once the user clicks on the popup, the following page offers the Flash Player update for download:

Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the "Installer" appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.

The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov:

I recorded a small video showing what happens when you install the "update" on a clean OS X 10.11 system:

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)
Diary Archives