[German]After the end of Flash support, a Flash player is offered on a website In China that behaves like adware and opens browser windows to display advertisements. This case, revealed by security researchers, proves how risky downloading software from unofficial sites has become, even if they read flash[.]cn.
I'm including the case here in the blog to show that the dangers lurk everywhere. After all, very few blog visitors will have a need for a Chinese Flash player. But some may be looking for a Flash player that still works and may fall into similar pitfalls.
Background: Flash support ends 2020
Adobe's Flash technology is officially out of support on Dec. 31, 2020. However, this does not come as a surprise at all, as Adobe had already announced in July 2017, together with technology partners such as Microsoft, that Adobe Flash Player would no longer be supported after December 2020 (see also my blog post Microsoft: Flash Player will be removable in autumn, support will end in 2021).
Adobe itself has included a kill switch with an update to Flash Player that disables it on January 12, 2021. So a Flash player that is still installed will be non-functional since that date.
On the other hand, some programs and users still rely on a working Flash player. I had shown this within the blog post HP Solution Center broken due to missing flash (Jan. 2021, how the flash end can hit every user of an HP multifunction printer. And in China, trains suddenly came to a standstill at the beginning of January 2021 because of a striking flash player (see China: Trains grounded after flash support ends Jan. 12, 2021). There, people helped themselves by installing an older version of Flash Player and preventing updates. In the German edition of the latter post, German blog reader Steter Tropfen pointed out in this comment that individual companies can continue to use Flash and distribute a working player.
Chongqing Zhongcheng Network Technology Co. (…) is the official distribution partner for Adobe Flash Player in mainland China only. Adobe will support Zhongcheng's exclusive distribution and maintenance of Flash Player within mainland China beyond 2020 for regional developers, enterprises, and end users running Flash-enabled content in applicable operating system environments or browsers.
So it should be starting to be known among China's computer users that all you have to do is get one of these alternatives to continue running software that relies on Flash.
The infected Flash version
In China there is a page flash[.]cn, on which an Adobe Flash payer is offered for download, which still works after 12.1.2021. Someone has now taken advantage of this, as I can see from the following tweet and the associated ZDNet article by Catalin Cimpanu.
Security researchers warn against downloading Flash Player from the flash[.]cn site, because the version that is still distributed via the site in China after the EOL has now turned into adware, opening browsers at timed intervals and displaying ads and popups.
Security company Minerva Labs noticed that its products, which are apparently installed on many Chinese systems, were receiving corresponding security warnings related to this Chinese Flash Player version via telemetry. Upon subsequent analysis, the researchers found that while the app installed a valid version of Flash, it also downloaded and executed additional payloads. The compromised version downloaded and executed the nt.dll file.
(Source: Minerva Labs)
This file was loaded inside the FlashHelperService.exe process and periodically opened a new browser window displaying various ad-heavy and pop-up websites. The case once again shows how risky it is to download software from an unofficial site (where even manufacturer sites deliver infected software in supply chain attacks).
Microsoft: Flash Player will be removable in autumn, support will end in 2021
Forced Update KB4577586 removes Flash from Windows 10
Windows 10 Preview Updates (Feb. 16, 2021
China: Trains grounded after flash support ends Jan. 12, 2021
HP Solution Center broken due to missing flash (Jan. 2021)
Cookies helps to fund this blog: Cookie settings