Using fake software updates to spread malware is not a new phenomenon, but a new malware campaign has been discovered that is quite different. Fake Adobe Flash updates are being spread that actually do update the user’s Flash version, albeit with the addition of the XMRig cryptocurrency miner.
The campaign deploys pop-up notifications that are an exact replica of the authentic notifications used by Adobe, telling the user that their Flash version needs to be updated. Clicking on the install button, as with the authentic notifications, will update users’ Flash to the most recent version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. Once downloaded, XMRig will operate silently in the background, unbeknown to the user.
The campaign was discovered by security experts at Palo Alto Network’s Unit 42 team. The researchers found several Windows executable files that began with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.
A review of network traffic during the infection process revealed most of the traffic was connected to updating Adobe Flash from an Adobe controlled domain, but that soon amended to traffic through a domain associated with downloaders known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.
Additional analysis of the campaign showed it has been operating since mid-August, with activity increasing in September when the fake Adobe Flash updates started to be distributed more widely.
End users are unlikely to notice the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the operation of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it takes up almost all of the computer’s CPU for cryptocurrency mining. Any user that reviews Task Manager will see Explorer.exe hogging their CPU. As with the majority of cryptocurrency miners, XMRig mines Monero. What is not currently obvious is which websites are distributing the fake Adobe Flash updates, or how traffic is being sent to those sites.
Any alert about a software update that pops up while browsing the internet should be dealt with as suspicious. The window should be shut, and the official website of that software supplier should be visited to determine if an update is required. Software updates should only ever be installed from official websites, in the case of Adobe Flash, that is Adobe.com.
The Palo Alto experts say “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”
