[BreachExchange] Fake Flash Updates Reportedly Used for Cryptojacking that Installs Crypto Miners

Destry Winant destry at riskbasedsecurity.com
Mon Oct 22 10:21:26 EDT 2018


NBC News reported this week on a Palo Alto Networks blog post that
revealed an effort by some cryptojackers to use a fake Adobe Flash
update to install cryptocurrency miners on computers. The
cybersecurity company announced the findings on Thursday, and
confirmed that the malware used to execute the cryptojacking is far
more deceptive than most fake Flash updates

According to the post, most fake Flash updates are far less stealthy
than the one recently discovered by the company. “In recent years,
such imposters have often been poorly-disguised malware executables or
script-based downloaders designed to install cryptocurrency miners,
information stealers, or ransomware,” the post notes. “If a victim
runs such poorly-disguised malware on a vulnerable Windows host, no
visible activity happens, unless the fake updater is pushing

The recently-discovered fake update apparently does a better job
imitating the real update software. Palo Alto Networks reports that
these fake updates do more than just install hidden cryptocurrency

As early as August 2018, some samples impersonating Flash updates have
borrowed pop-up notifications from the official Adobe installer. These
fake Flash updates install unwanted programs like an XMRig
cryptocurrency miner, but this malware can also update a victim’s
Flash Player to the latest version.

Because of the legitimate Flash update, a potential victim may not
notice anything out of the ordinary. Meanwhile, an XMRig
cryptocurrency miner or other unwanted program is quietly running in
the background of the victim’s Windows computer.

 Other cybersecurity experts have also noticed an increase in website
hacks and an uptick in hackers’ attempts to steal computer users’
computing power. McAfee chief scientist Raj Samani told NBC,

"This is not unique to this update. We are seeing many websites get
hijacked and very authoritative websites we visit regularly are
unwittingly consuming visitor resources for the benefit of criminals.”

More information about the BreachExchange mailing list