PSA: Hackers Are Using Fake Flash Updates to Hide Cryptocurrency Mining Malware

It has been discovered that fake Adobe Flash updates are being used to surreptitiously install cryptocurrency mining malware on computers and networks, creating severe losses in time, system performance, and power consumption for affected users.

Cryptojacking Breaks New Ground

While fake Flash updates that push malware have traditionally been easy to spot and avoid, a new campaign has employed new tricks that stealthily download cryptocurrency miners on Windows systems.

Writing in a post exposing the scheme, Unit 42 threat intelligence analyst Brad Duncan said:

“As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

The implication of this unpleasant scenario is that a potential victim may not notice anything out of the ordinary while an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer. This miner software could potentially slow down the processor of the victim’s computer, damage the hard drive, or extract confidential data and transmit it onto other digital platforms without the victim’s consent.

Technical Details of Fake Adobe Update Cryptojacking Malware

Duncan explained that it was not very clear how potential victims were arriving at the URLs delivering the fake Flash updates; however, network traffic during the infection process has been primarily related to fraudulent Flash updates. Interestingly, the infected Windows server generates an HTTP POST request to [osdsoft[.]com], a domain affiliated with updaters or installers pushing cryptocurrency miners.

He said while the research team searched for certain particular fake Flash updates, it observed some Windows executables file with names starting with Adobe Flash Player from non-Adobe, cloud-based web servers. These downloads usually had the string “flashplayer_down.php?clickid=” in the URL. The teams also found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables.

Duncan encouraged Windows users to be more cautious about the kind of Adobe Flash updates that they try to install, stating that while the Adobe pop-up and update features make the fake installer seem more legitimate, potential victims will still receive warning signs about running downloaded files on their Windows computer.

In his words:

“Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”

CCN recently reported that a report from McAfee labs showed that cryptojacking surged 86 percent in the second quarter of 2018, and is up 459 percent in 2018 so far over the whole of 2017.


About us

We are the new economy news hub. 2100NEWS is the professional index, data, and tools provider in the digital asset space, offering Crypto Market Intelligence, providing the perspective you can trust and equipping you with information edge you need to stay ahead. (Real-time data of token issuers and news, analysis and commentary from community.) We are very excited to contribute to the evolution of the industry and build an ecosystem around our offering (the institutional-grade data infrastructure required to enable institutional investments in digital assets). We want our contributions (Contents and Tools on 2100NEWS.com) to be useful for helping investors.


CONTACT US

CALL US ANYTIME



Latest posts

September 15, 2019
September 14, 2019
September 13, 2019