F-Secure researchers have spotted a large number of Trojan.JS.Blacole.Gen infections over the past days. A closer analysis has revealed an interesting malware distribution campaign.
According to experts, cybercriminals have compromised a number of websites, 40% of which from Germany. They’ve taken the scripts from these sites and added malicious code.
When users visit the infected sites, they get redirected to a page that instructs them to update their Flash Player in order to gain access to the content.
If the victim clicks on one of the Download Now links, a file called flashplayer.exe is downloaded from a SkyDrive account. When the user executes this file, a window which reads “Installing latest Flash Player” is displayed.
In the meantime, another piece of malware is downloaded from the same SkyDrive account.
Additional technical details on this attack can be found on F-Secure’s blog.