While fake Flash updates are typically poorly disguised, a campaign that emerged in August 2018 is using pop-up notifications borrowed from the official Adobe installer, according to Unit 42, the threat intelligence team at Palo Alto Networks.
As well as installing the XMRig cryptocurrency miner, this malware can also update a victim’s Flash Player to the latest version, making it appear to be legitimate.
As a result, victims are less likely to notice anything unusual because the fake update works as expected, although an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer.
However, the researchers said potential victims will receive warnings about running such downloaded files on their Windows computer, and so should not ignore Windows warnings about an unknown publisher.
Unit 42 has previously reported that 5% of all Monero in circulation has been mined through malicious activity, and security firm McAfee reported 629% growth of illicit cryptocurrency mining – known as cryptojacking – in the first quarter of 2018 alone.
The researchers discovered the credible-looking campaign when they noticed Windows executables file names starting with adobeFlashPlayer coming from non-Adobe, cloud-based web servers.
Read more about cryptojacking
- Cyber criminals ‘infect and collect’ in cryptojacking surge.
- Cryptomining is top attack type, says Malwarebytes.
- Criminals hijack government sites to mine cryptocurrency used to hide wealth.
- Businesses urged to patch against cryptocurrency-mining botnet.
- Cryptojacking: How to navigate the bitcoin mining threat.
Using a common text string in the URLs of these downloads, the researchers were able to find 113 samples of malware since March 2018.
More than two-thirds of these samples were identified as crypto miners, and the remaining samples had some characteristics associated with crypto miners.
Although this campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs, organisations with “decent web filtering” and educated users have a much lower risk of infection by these fake updates, Palo Alto Networks said in a blog post.