View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 12, 2018

Fake Adobe Flash Malware Contains Update and Cryptocurrency Miner

"Network traffic during the infection consisted mainly of the Flash update"

By CBR Staff Writer

Threat actors are hiding cryptocurrency mining malware in fake Adobe Flash updates that actually update Flash to the current version.

The malware borrows the design and look of the pop-up notifications for the official Adobe installer and to many users may look and act exactly as an official update would.

However once installed onto a computer the malware downloads the cryptocurrency miner XMRig which then runs in the background of the infected system, draining energy and processing power.

The malware was first discovered by Palo Alto Networks’ threat intelligence division Unit 42.

Writing about their discovery in a blog post analyst Brad Duncan said “While searching for these particular fake Flash updates, we noticed Windows executables file names starting with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers.”

He added: “We found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables.”

Fake Adobe Flash

Unit 42 found that this particular malware has been active since early August 2018.

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

Duncan ran the malware on a host system in a test environment running Windows 7 Service Pack 1. During these tests he found that Windows’ security systems highlights the content as coming from an unknown publisher, with its standard warning; something he notes unsuspecting victims often just click past. Fake Adobe Flash

Mr Duncan found that: “Network traffic during the infection consisted mainly of the Flash update. But my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444.”

See Also: Cryptomining Attacks Now Reported by One in Three UK Enterprises

This type of malware can catch many enterprises off guard due to the legitimate look of the Adobe pop-up update request. The fact that the download does actually update your systems to the current version of Flash also lends legitimacy to attack.

Enterprises should always check that they updating their products from the official channels rather than reacting to online prompts which may come from malicious sources. This malware shows that the unofficial ones may still update the product leaving you completely unaware that your system is been utilised by a threat actor.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy