Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Fake Adobe Flash Update OS X Malware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake Adobe Flash Update OS X Malware

Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).

The "Installer" for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.

While I wasn't able to capture the exact trigger for the popup advertising the update, I suspect it was injected by one of the many ads on the page:

flash warning popup.

Once the user clicks on the popup, the following page offers the Flash Player update for download:

Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the "Installer" appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.

The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov:

I recorded a small video showing what happens when you install the "update" on a clean OS X 10.11 system:

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

2835 Posts
ISC Handler
Don't Apples have a Gatekeeper that's supposed to limit installation of apps to those from the Apple Store and Identified Developers? Does this mitigate the risk?
Anonymous

Posts
In the article Dr. Ullrich said "The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov" so GateKeeper did it's job and will allow it until Apple revokes the certificate.
Anonymous

Posts
Apparently, this is actually signed by a valid certificate.
Eric

12 Posts Posts
... deleted
Anonymous

Posts
Could you post the actual PKIX/X.509 certificate issued to the developer?
rsgmodelworks

1 Posts Posts
Apple has revoked it.

The application was signed by “Apple Root CA”, “Developer ID Application: Maksim Noskov (SHPB74W374)”.
Both the verified timestamp and the signing-time are: Jan 20, 2016, 5:41:11 AM.
The object code format is “app bundle with Mach-O thin (x86_64)”.
The signature contains the Team ID “SHPB74W374”.
Both bundle and signing identifiers are “com.overlaunch.leachy”.
The signature specifies implicit requirements. 
The requirements specify the Team ID “SHPB74W374”.
This matches the Team ID contained in the signature.
The signature specifies resource rules (v1). 
The signature specifies resource rules (v2). 
Gatekeeper assessment: FAIL (damaged).  

damaged = "/Volumes/Installer/Installer.app/: CSSMERR_TP_CERT_REVOKED"
Anonymous

Posts
Some additional indicators/analysis:
https://objective-see.com/blog/blog_0x0C.html
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!