A special version of Flash for China turned into adware

Special version of Flash for China

Many users and cybersecurity specialists have discovered that a special version of Flash for China has turned into adware.

As you know, at the beginning of 2021, support for Adobe Flash Player was finally discontinued. A special self-destructing code was pre-built into the software code, and starting from January 12, 2021, Adobe blocks the launch of any Flash content.

However, in China, Adobe has allowed local Zhong Cheng Network to continue Flash support, as it is still an important part of the local IT ecosystem and is widely used in both the public and private sectors. For example, at the beginning of the year, due to the termination of support for Flash, Chinese railway workers faced serious problems.

A special Chinese version of Flash is distributed through the flash[.]сn website and Minerva Labs recently discovered that it is insecure.

It is important to mention that the file is signed by “Zhong Cheng Network” which is a distributor of Adobe’s software in China. The binary contains an embedded DLL encrypted inside its data section, which is reflectively loaded and executed.Minerva Labs specialists report.

According to the researchers, in addition to Flash itself, other payloads also penetrate users’ machines. In particular, the application downloaded and launched the nt.dll file inside the FlashHelperService.exe process, which opens a new browser window at regular intervals and shows various sites with a lot of ads and pop-ups.

Special version of Flash for China

The suspicious behavior of this process was also noticed by Cisco Talos analysts, who noted that FlashHelperService.exe became one of the leading threats in January, and then in February.

Users noticed this problem too. Numerous complaints can already be found on the Adobe Support Forum, local blogs, and more.

Most enterprises with a Chinese office had this service installed in their organizational network. If this framework was used with a malicious intent, an attacker will have an initial foothold in many organizations.Minerva Labs researchers wrote.

Let me remind you that the Authorities of South Africa create their own browser to continue to use Flash.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *