The rogue application is hosted on a bogus Facebook site

Dec 10, 2013 10:32 GMT  ·  By

Experts have spotted a fake Facebook website that’s designed to trick users into installing a piece of malware by telling them that they need to update their “YouTube Player.”

According to Chris Boyd, who has recently joined Malwarebytes, the bogus Flash Player application is hosted on a .pw website. However, to make everything appear more legitimate, the cybercriminals have created several subdomains (check screenshot).

When installed, the fake Flash Player drops a couple of executable files. One of them seems to be attempting to join a P2Pool, a decentralized Bitcoin mining pool. However, in this case, the connection fails.

The dropper is detected by Malwarebytes as Trojan.Agent.MNR. The miner is identified as PUP.BitCoinMiner.

Boyd highlights the fact that the fake Flash Player page was also spotted in September 2012 and July 2013.

Users are advised to install Flash Player only from trusted websites. If you want to mine for Bitcoins, make sure you download miners only from reputable sources. Finally, try to avoid .pw domains since they’re increasingly used by cybercriminals.

For additional details on this scam, check out Malwarebytes’ blog.