Here’s a site offering up an “important update” for Adobe Flash that is so determined to have you download something it’ll launch no less than three pop-up prompts at once.
Presenting “flash-install(dot)ru”, which is listed in a .ru Whois registry as having been “created 2014.03.05”.
That seems a touch excessive to me. The no doubt somewhat off-kilter Google Translation of one of the boxes reads as follows:
Update available for Mozilla Firefox:Flash Player 12.0.0.44
It is recommended to update Flash Player as soon as possible.
Attention! if you are not using the latest version of Flash Player, your version may contain vulnerabilities that could be used to attack your computer, which can lead to theft of important personal data ..
Clicking through all of the boxes will (eventually) serve up an executable from
jiojhijo(dot)cf/files/installer(dot)exe
From there, additional URLs and files are called out to and keep this show on the road. The Malwr sandbox report makes for good reading, and lists the following http requests:
mrfc(dot)by jiojhijo(dot)cf coca(dot)su:15170
on the Dropped Files tab (of which there are many, though the ones showing on VirusTotal are flagged as “Probably harmless! There are strong indicators suggesting that this file is safe to use”) we can see a file called “Minerd.exe”, with an MD5 of
ea5c563db06d96b90141698afd27f2fc
The VirusTotal report for that one pegs it at 36 / 50, and is – as the name suggests – a Bitcoin mining program. Users of Malwarebytes Anti-Malware will find we detect the initial file – installer.exe – as Trojan.Crypt.NKN. We also detect the “Minerd” file as PUP.BitCoinMiner.
We’ve looked at fake Flash installs before – and whether desktop based SMS antics or phony Youtube video updates, it pays to only go direct to the source when prompted to update something on your PC. It’s the only way to be sure.
Christopher Boyd