Minerva Labs’ researchers received multiple alerts of a suspicious code unpacking from an executable named FlashHelperService.exe and showing popups, says a report published by ZDNet.
Security researchers determined it was a Chinese version of Adobe Flash player app behaving like adware and opening browser windows with ads.
Although the Flash Player app has been formally phased out on December 31, 2020, Adobe gave special permission to a Chinese company to continue distributing Flash inside China. The local IT ecosystem still relies heavily on the Adobe application and is widely used in both the public and private sectors.
The Chinese version of the Flash Player is available only on flash.cn. The website belongs to Zhong Cheng Network, the entity authorized by Adobe to distribute Flash in China.
In the subsequent analysis, Minerva Labs’ researchers found that the app, besides installing a benign version of Flash, also executed additional payloads.
The app downloaded and ran a file nt.dll that loaded in the FlashHelperService.exe process. This opened a new browser window showing various ad- and popup-heavy sites at regular intervals.
Notably, one user complained, “Your good company authorised Zhong Cheng Network (“this company”) to distribute Flash Player and provide customer service support in mailand China. But this company implanted Trojain Virus into Flash player and force user to install annother software which often popup and collect user information without user permission. Users cannot uninstall this popup software and cannot use a clean Flash Player. Please do withdraw authorisation from this company, and select a trustable distributor in China.”
More alarms started to come from other security researchers and teams who noticed suspicious activity on the part of FlashHelperService.exe. One of them was Cisco Talos, one of the largest commercial cybersecurity firms in the world.
It’s worth mentioning this particular threat doesn’t impact users in the West because a Flash version they would download from flash.cn won’t work outside China.