Without verifying its legitimacy, users who may be anticipating a WebEx conference are at risk of downloading variants of a notorious info stealing malware.
Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are lead to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use. The second sample, on the other hand, is a spoofed PayPal email that features transaction details. Curious users who click these details are then directed to the webpage hosting the rogue Flash update file.
The said site in question is a spoofed Adobe Flash Player update. To the undiscerning eye, this site may pass off as the real Adobe Flash Player website as it is an exact copy of the legitimate Adobe site. But looking closer into the site’s address, reveals that it is everything but authentic. Also, as threat engineer Roddell Santos observed, the creators of these spoofed sites went to great lengths to imitate the drop down menu of the real Flash page.
Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price.
During our investigation, we found the following domains to be hosting this rogue Adobe Flash update:
- http://{BLOCKED}.{BLOCKED}.101.197/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.57.66/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.209.165/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.100.224/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.102.189/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.102.218/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.223.77/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.251.32/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.171.159/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.151.54/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.159.108/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.159.121/adobe/update_flash_player.exe
- http://2.{BLOCKED}oundation.com/adobe/update_flash_player.exe
- http://2.{BLOCKED}ms-farm.com/adobe/update_flash_player.exe
- http://26.{BLOCKED}cemovers.com/adobe/update_flash_player.exe
- http://27.{BLOCKED}veestimate.com/adobe/update_flash_player.exe
- http://3.{BLOCKED}3.mobi/adobe/update_flash_player.exe
- http://3.{BLOCKED}ll.mobi/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.101.192/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.40.93/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.194.233/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.234.192/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.112.246/adobe/update_flash_player.exe
- http://{BLOCKED}.{BLOCKED}.25.255/adobe/update_flash_player.exe
- http://2.{BLOCKED}d.org/adobe/update_flash_player.exe
- http://25.{BLOCKED}cmobility.net/adobe/update_flash_player.exe
- http://4.{BLOCKED}n.in/adobe/update_flash_player.exe
Sadly, it’s not a stretch to say that there may be more of these malicious pages out there.
Right Platform and Timing Are Everything
Though malicious pages spoofing popular software vendors like Adobe are not unheard of, the timing of these pages is highly suspicious. Just recently, Adobe released their update for Flash to customers. The bad guys used this software release as the right vehicle to deliver ZeuS/ZBOT variants to unsuspecting users.
The use of WebEx in these spoofed emails is also fishy. WebEx is a popular business conference/meeting technology in the corporate world. And we all know that on the average, employees receive 100 emails per day, making email the top business communication tool. Just a coincidence? We highly doubt it. We believe that the perpetrators of this threat are likely targeting businesses and employees.
To avoid downloading ZeuS/ZBOT variants and other malware, users should always be careful before clicking links that may come via email messages, private messages (PM) and other form of communication. For enterprises, it is best to educate users on responsible email communication and how to be discerning of the messages they receive. To know more, you may refer to our primer Are Your Business Communications Secure?
Trend Micro Smart Protection Network™ protects users from this threat by blocking these spoofed messages. It also blocks access to the fake Adobe sites and detects and deletes the malware components.
With additional analysis from Roddell Santos
Update as of October 16, 10:52 PM PST Time
We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants. Also, expect that such spam runs won’t be fading soon. As senior architecture director Jon Oliver noted, these attacks are continuing at full speed. As such, users are advised to be continuously extra careful with clicking links on email messages.
