The relentless group pushing malicious downloaders that are crafted most often to appear as video codecs and also are packaged with cracks, underground key generators, and blackhat SEO schemes, this week have moved to serving up their warez from 220.127.116.11 to 18.104.22.168. The server now hosts files similarly named to “flash-plugin_update.45031.exe” (that number in the name changes per download).
A number of domains resolve to that ip address 22.214.171.124:
ThreatFire is preventing the malicious downloaders in high volumes and currently is the most reliable solution for detecting this family. Scanning the files as they are downloaded and run by users shows dismal detection rates, as the downloaders evade detection with frequent repacking and obfuscation. Be sure to add a behavioral solution that can definitively recognize entire families of malware like this one reliably, and do your best to ensure that the software that you are downloading and installing is coming from a trustworthy source.