Threat actors are hiding cryptocurrency mining malware in fake Adobe Flash updates that actually update Flash to the current version.
The malware borrows the design and look of the pop-up notifications for the official Adobe installer and to many users may look and act exactly as an official update would.
However once installed onto a computer the malware downloads the cryptocurrency miner XMRig which then runs in the background of the infected system, draining energy and processing power.
The malware was first discovered by Palo Alto Networks’ threat intelligence division Unit 42.
Writing about their discovery in a blog post analyst Brad Duncan said “While searching for these particular fake Flash updates, we noticed Windows executables file names starting with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers.”
He added: “We found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables.”
Fake Adobe Flash
Unit 42 found that this particular malware has been active since early August 2018.
Duncan ran the malware on a host system in a test environment running Windows 7 Service Pack 1. During these tests he found that Windows’ security systems highlights the content as coming from an unknown publisher, with its standard warning; something he notes unsuspecting victims often just click past.
Mr Duncan found that: “Network traffic during the infection consisted mainly of the Flash update. But my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444.”
This type of malware can catch many enterprises off guard due to the legitimate look of the Adobe pop-up update request. The fact that the download does actually update your systems to the current version of Flash also lends legitimacy to attack.
Enterprises should always check that they updating their products from the official channels rather than reacting to online prompts which may come from malicious sources. This malware shows that the unofficial ones may still update the product leaving you completely unaware that your system is been utilised by a threat actor.