Skype Users in Danger Of Fake Ads, Possible Ransomware Attacks

Skype Users in Danger Of Fake Ads, Possible Ransomware Attacks

So far, several complaints by Skype users have been received that concern fake ads, which lead to ransomware attacks if triggered. The ads were served through Microsoft’s Skype application, and this news came from a Reddit thread this Wednesday.

One of Skype users has complained on Reddit about the fake ad campaign that appears on the home page of the Skype app. Apparently, the ad started an HTML application download after it was triggered. The app was designed to look like a real deal, but after opening, it would start downloading a malicious payload. User’s computer would then be locked and the files encrypted and held for ransom.

Several other users have complained of the similar cases of Skype ad-issues, and at least two of them had the same “fake Flash ad” experience already. The user that started the post, fortunately, recognized the malicious app. Instead of opening it, the user deconstructed and posted the code, and after that, several experts were asked to inspect and explain the code.

According to these experts, this “fake Flash” ad was designed to target Windows devices and to push the download requests wherever it can. After opening, it would trigger obfuscated JavaScript, and afterwards, a new command line is started. The app that the user opened would get deleted at this point, and a PowerShell command starts running. JavaScript Encoded Script (JSE) is being downloaded next, usually from the domain that doesn’t even exist anymore. These disposable domains are used to hide the operations of experienced hackers. All of these operations are executed in order to protect the malware from the antivirus tools.

Ali-Reza Anghaie, the co-founder of Phobos Group, which is a cyber-security firm hired to investigate the attack, has said that this was a so-called “two-stage dropper”, and explained that “It’s effectively the utility component of the malware that then decides what else to do based on the command and control it connects to.”

He added that it is not possible to determine what the next command was since the domain doesn’t exist anymore and that in 99% of cases attack like this lead to ransomware.

It’s been said that this attack is probably a spin-off of a ransomware campaign called Locky, that used a similar attack to lock the screens and that was one of the biggest threats last year. Another sample of malware that was delivered in the same way was uploaded to IBM’s X-Force, and the connection between the two was discovered through the patterns of the web addresses that were used in the attack.

The exact number of domains that are used for these attacks is unknown, but it’s believed that each of them was quickly registered and deregistered soon after so that the attacker wouldn’t have to pay for it, and also to prevent further research.

Several attacks have come through the Skype-ads in the past, for example in 2015, when the similar attack occurred. Reports of the similar attacks were received last year from the Angler exploit kit, where a malicious ad campaign was let through by fake ads. Microsoft has yet to give any official statement about these attacks.