Fake Flash Player update sites have long been a favorite distribution method for adware and other unwanted programs. Today, a fake Flash update site was discovered by ExecuteMalware that is pushing the Locky ransomware. When someone visits the site they will be presented with a page that states that Flash Player is out of date and then automatically downloads an executable. If you look carefully at the URL in the browser's address you can see that the domain of fleshupdate.com does not seem to be spelled right.
The executable automatically downloaded by this site is named FlashPlayer.exe and includes a flash player icon as seen below.
If you look at the properties of this file, though, things start to look strange.
Ultimately, if a user runs this program thinking that Flash will be updated they will be in for a big surprise. Instead of a flash player update, they will ultimately be shown a Locky ransom note when the ransomware has finished encrypting the victim's files.
Verbose: 0 The file is a PE EXE affilID: 13 Seed: 9841 Delay: 30 Persist Svchost: 0 Persist Registry: 0 Ignore Russian Machines: 1 CallbackPath: /message.php C2Servers: 188.8.131.52,184.108.40.206,220.127.116.11 RsaKeyID: 85D RsaKeySizeBytes: 114 Key Alg: A400 Key: RSA1 Key Bits: 2048 Key Exponent: 10001
As you can see, it is not only attachments and exploit kits pushing ransomware. Everyone needs to be vigilant and careful when browsing the web. Furthermore, program updates should only be downloaded from their main product sites rather than 3rd party sites where you have no idea what you are installing.