Fake Adobe Flash Update OS X Malware

Published: 2016-02-04
Last Updated: 2016-02-04 15:19:52 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).

The "Installer" for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.

While I wasn't able to capture the exact trigger for the popup advertising the update, I suspect it was injected by one of the many ads on the page:

flash warning popup.

Once the user clicks on the popup, the following page offers the Flash Player update for download:

Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the "Installer" appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.

The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov:

I recorded a small video showing what happens when you install the "update" on a clean OS X 10.11 system:

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)

Comments

Don't Apples have a Gatekeeper that's supposed to limit installation of apps to those from the Apple Store and Identified Developers? Does this mitigate the risk?
In the article Dr. Ullrich said "The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov" so GateKeeper did it's job and will allow it until Apple revokes the certificate.
Apparently, this is actually signed by a valid certificate.
... deleted
Could you post the actual PKIX/X.509 certificate issued to the developer?
Apple has revoked it.

The application was signed by “Apple Root CA”, “Developer ID Application: Maksim Noskov (SHPB74W374)”.
Both the verified timestamp and the signing-time are: Jan 20, 2016, 5:41:11 AM.
The object code format is “app bundle with Mach-O thin (x86_64)”.
The signature contains the Team ID “SHPB74W374”.
Both bundle and signing identifiers are “com.overlaunch.leachy”.
The signature specifies implicit requirements. 
The requirements specify the Team ID “SHPB74W374”.
This matches the Team ID contained in the signature.
The signature specifies resource rules (v1). 
The signature specifies resource rules (v2). 
Gatekeeper assessment: FAIL (damaged).  

damaged = "/Volumes/Installer/Installer.app/: CSSMERR_TP_CERT_REVOKED"
Some additional indicators/analysis:
https://objective-see.com/blog/blog_0x0C.html

Diary Archives