Foreign security company Minerva Labs issued a paper introducing their investigation of the Chinese version of Flash.
According to reports, in the past few months, Minerva Labs has received multiple alerts showing that an executable file called FlashHelperService.exe may contain malicious code. For this they decided to investigate this binary file to determine whether it was a false positive or real malware.
Minerva Labs pointed out that the signature of this binary file comes from "Zhong Cheng Network", "Zhong Cheng Network" refers to Zhongcheng Network Technology Co., Ltd., which is Adobe's strategic partner in China and is solely responsible for the distribution and operation of Adobe Flash Player in China .
Adobe stopped updating and distributing Flash after December 31, 2020. After that, the domestic agent Zhongcheng Network announced the launch of Adobe Flash Player for China, and said that it will continue to be responsible for the exclusive official release of Flash in China after 2020 , To provide support for the Chinese version of Flash, including the latest version download, operation and technical maintenance services.
Minerva Labs downloaded Flash from flash.cn for investigation. After binary analysis and reverse engineering, they found that in addition to installing Flash, the Chinese version of Flash will also download and run a binary file named nt.dll, which will be loaded into FlashHelperService and opened at the set time pop-up window.
After Minerva Labs continued to investigate its payload, it was found that the ultimate intent of this file was similar to an adware program, and there was a worrying threat. The reason was that this file contained a universal binary distribution framework that could be used by attackers to load malicious code to effectively bypass Pass the traditional AV disk signature check. And many companies will install Flash, if it is really used maliciously, the consequences will be disastrous.