There's a new site offering up an "important update" for Flash which is so determined to have you download something it'll launch no less than three pop-up prompts at once.
Now presenting "flash-install.ru", which is listed in a .ru Whois registry as having been "created 2014.03.05".
The no-doubt somewhat off-kilter Google Translation of the boxes reads as follows:
- Update available for Mozilla Firefox:
- Flash Player 126.96.36.199
- It is recommended to update Flash Player as soon as possible.
- Attention! if you are not using the latest version of Flash Player, your version may contain vulnerabilities that could be used to attack your computer, which can lead to theft of important personal data.
Clicking through all of the boxes will (eventually) serve up an executable from:
From there, additional URLs and files are called out to and keep this show on the road. The Malwr sandbox report makes for good reading, and lists the following http requests:
on the Dropped Files tab (of which there are many, though the ones showing on VirusTotal are flagged as "Probably harmless! There are strong indicators suggesting that this file is safe to use") we can see a file called "Minerd.exe", with an MD5 of:
The VirusTotal report for that one pegs it at 36 / 50, and is - as the name suggests - a Bitcoin mining program. Malwarebytes detects the initial file - installer.exe - as Trojan.Crypt.NKN. We also detect the "Minerd" file as PUP.BitCoinMiner.
We've looked at fake Flash installs before - and whether desktop-based SMS antics or phony Youtube video updates, it pays to go direct to the source when prompted to update something on your PC.
It's the only way to be sure.
Christopher Boyd is a malware intelligence analyst at Malwarebytes.