It has been discovered that fake Adobe Flash updates are being used to surreptitiously install cryptocurrency mining malware on computers and networks, creating severe losses in time, system performance, and power consumption for affected users.
Cryptojacking Breaks New Ground
While fake Flash updates that push malware have traditionally been easy to spot and avoid, a new campaign has employed new tricks that stealthily download cryptocurrency miners on Windows systems.
Writing in a post exposing the scheme, Unit 42 threat intelligence analyst Brad Duncan said:
Join CCN for $9.99 per month and get an ad-free version of CCN including discounts for future events and services. Support our journalists today. Click here to sign up.
“As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”
The implication of this unpleasant scenario is that a potential victim may not notice anything out of the ordinary while an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer. This miner software could potentially slow down the processor of the victim’s computer, damage the hard drive, or extract confidential data and transmit it onto other digital platforms without the victim’s consent.
Technical Details of Fake Adobe Update Cryptojacking Malware
Duncan explained that it was not very clear how potential victims were arriving at the URLs delivering the fake Flash updates; however, network traffic during the infection process has been primarily related to fraudulent Flash updates. Interestingly, the infected Windows server generates an HTTP POST request to [osdsoft[.]com], a domain affiliated with updaters or installers pushing cryptocurrency miners.
He said while the research team searched for certain particular fake Flash updates, it observed some Windows executables file with names starting with Adobe Flash Player from non-Adobe, cloud-based web servers. These downloads usually had the string “flashplayer_down.php?clickid=” in the URL. The teams also found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables.
Duncan encouraged Windows users to be more cautious about the kind of Adobe Flash updates that they try to install, stating that while the Adobe pop-up and update features make the fake installer seem more legitimate, potential victims will still receive warning signs about running downloaded files on their Windows computer.
In his words:
“Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”
Featured Image from Shutterstock