View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 12, 2018

Fake Adobe Flash Malware Contains Update and Cryptocurrency Miner

"Network traffic during the infection consisted mainly of the Flash update"

By CBR Staff Writer

Threat actors are hiding cryptocurrency mining malware in fake Adobe Flash updates that actually update Flash to the current version.

The malware borrows the design and look of the pop-up notifications for the official Adobe installer and to many users may look and act exactly as an official update would.

However once installed onto a computer the malware downloads the cryptocurrency miner XMRig which then runs in the background of the infected system, draining energy and processing power.

The malware was first discovered by Palo Alto Networks’ threat intelligence division Unit 42.

Writing about their discovery in a blog post analyst Brad Duncan said “While searching for these particular fake Flash updates, we noticed Windows executables file names starting with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers.”

He added: “We found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables.”

Fake Adobe Flash

Unit 42 found that this particular malware has been active since early August 2018.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Duncan ran the malware on a host system in a test environment running Windows 7 Service Pack 1. During these tests he found that Windows’ security systems highlights the content as coming from an unknown publisher, with its standard warning; something he notes unsuspecting victims often just click past. Fake Adobe Flash

Mr Duncan found that: “Network traffic during the infection consisted mainly of the Flash update. But my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444.”

See Also: Cryptomining Attacks Now Reported by One in Three UK Enterprises

This type of malware can catch many enterprises off guard due to the legitimate look of the Adobe pop-up update request. The fact that the download does actually update your systems to the current version of Flash also lends legitimacy to attack.

Enterprises should always check that they updating their products from the official channels rather than reacting to online prompts which may come from malicious sources. This malware shows that the unofficial ones may still update the product leaving you completely unaware that your system is been utilised by a threat actor.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU