• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Spoofed WebEx, PayPal Emails Lead to Rogue Flash Update

Spoofed WebEx, PayPal Emails Lead to Rogue Flash Update

  • Posted on:October 16, 2012 at 4:04 pm
  • Posted in:Malware, Spam
  • Author:
    Jocelyn Racoma (Threat Analyst)
0

Without verifying its legitimacy, users who may be anticipating a WebEx conference are at risk of downloading variants of a notorious info stealing malware.

Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).

The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are lead to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use. The second sample, on the other hand, is a spoofed PayPal email that features transaction details. Curious users who click these details are then directed to the webpage hosting the rogue Flash update file.

The said site in question is a spoofed Adobe Flash Player update. To the undiscerning eye, this site may pass off as the real Adobe Flash Player website as it is an exact copy of the legitimate Adobe site. But looking closer into the site’s address, reveals that it is everything but authentic. Also, as threat engineer Roddell Santos observed, the creators of these spoofed sites went to great lengths to imitate the drop down menu of the real Flash page.

Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price.

During our investigation, we found the following domains to be hosting this rogue Adobe Flash update:

  • http://{BLOCKED}.{BLOCKED}.101.197/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.57.66/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.209.165/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.100.224/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.102.189/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.102.218/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.223.77/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.251.32/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.171.159/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.151.54/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.159.108/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.159.121/adobe/update_flash_player.exe
  • http://2.{BLOCKED}oundation.com/adobe/update_flash_player.exe
  • http://2.{BLOCKED}ms-farm.com/adobe/update_flash_player.exe
  • http://26.{BLOCKED}cemovers.com/adobe/update_flash_player.exe
  • http://27.{BLOCKED}veestimate.com/adobe/update_flash_player.exe
  • http://3.{BLOCKED}3.mobi/adobe/update_flash_player.exe
  • http://3.{BLOCKED}ll.mobi/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.101.192/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.40.93/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.194.233/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.234.192/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.112.246/adobe/update_flash_player.exe
  • http://{BLOCKED}.{BLOCKED}.25.255/adobe/update_flash_player.exe
  • http://2.{BLOCKED}d.org/adobe/update_flash_player.exe
  • http://25.{BLOCKED}cmobility.net/adobe/update_flash_player.exe
  • http://4.{BLOCKED}n.in/adobe/update_flash_player.exe

Sadly, it’s not a stretch to say that there may be more of these malicious pages out there.

Right Platform and Timing Are Everything

Though malicious pages spoofing popular software vendors like Adobe are not unheard of, the timing of these pages is highly suspicious. Just recently, Adobe released their update for Flash to customers. The bad guys used this software release as the right vehicle to deliver ZeuS/ZBOT variants to unsuspecting users.

The use of WebEx in these spoofed emails is also fishy. WebEx is a popular business conference/meeting technology in the corporate world. And we all know that on the average, employees receive 100 emails per day, making email the top business communication tool. Just a coincidence? We highly doubt it. We believe that the perpetrators of this threat are likely targeting businesses and employees.

To avoid downloading ZeuS/ZBOT variants and other malware, users should always be careful before clicking links that may come via email messages, private messages (PM) and other form of communication. For enterprises, it is best to educate users on responsible email communication and how to be discerning of the messages they receive. To know more, you may refer to our primer Are Your Business Communications Secure?

Trend Micro Smart Protection Network™ protects users from this threat by blocking these spoofed messages. It also blocks access to the fake Adobe sites and detects and deletes the malware components.

With additional analysis from Roddell Santos

Update as of October 16, 10:52 PM PST Time

We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants. Also, expect that such spam runs won’t be fading soon. As senior architecture director Jon Oliver noted, these attacks are continuing at full speed. As such, users are advised to be continuously extra careful with clicking links on email messages.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.