So far, several complaints by Skype users have been received that concern fake ads, which lead to ransomware attacks if triggered. The ads were served through Microsoft’s Skype application, and this news came from a Reddit thread this Wednesday.
One of Skype users has complained on Reddit about the fake ad campaign that appears on the home page of the Skype app. Apparently, the ad started an HTML application download after it was triggered. The app was designed to look like a real deal, but after opening, it would start downloading a malicious payload. User’s computer would then be locked and the files encrypted and held for ransom.
Several other users have complained of the similar cases of Skype ad-issues, and at least two of them had the same “fake Flash ad” experience already. The user that started the post, fortunately, recognized the malicious app. Instead of opening it, the user deconstructed and posted the code, and after that, several experts were asked to inspect and explain the code.
Skype wasn't any good for years, and now it begins spamming his ads via messaging without option to turn it off
— ksen (@ksen_otaku) March 23, 2017
Ali-Reza Anghaie, the co-founder of Phobos Group, which is a cyber-security firm hired to investigate the attack, has said that this was a so-called “two-stage dropper”, and explained that “It’s effectively the utility component of the malware that then decides what else to do based on the command and control it connects to.”
He added that it is not possible to determine what the next command was since the domain doesn’t exist anymore and that in 99% of cases attack like this lead to ransomware.
It’s been said that this attack is probably a spin-off of a ransomware campaign called Locky, that used a similar attack to lock the screens and that was one of the biggest threats last year. Another sample of malware that was delivered in the same way was uploaded to IBM’s X-Force, and the connection between the two was discovered through the patterns of the web addresses that were used in the attack.
The exact number of domains that are used for these attacks is unknown, but it’s believed that each of them was quickly registered and deregistered soon after so that the attacker wouldn’t have to pay for it, and also to prevent further research.
Several attacks have come through the Skype-ads in the past, for example in 2015, when the similar attack occurred. Reports of the similar attacks were received last year from the Angler exploit kit, where a malicious ad campaign was let through by fake ads. Microsoft has yet to give any official statement about these attacks.