The IT security researchers at Palo Alto Networks has identified that a fake Flash updater is circulating the web and fooling computer users by sneakily installing cryptocurrency mining bot XMRig. In the past few months, researchers have identified 113 fake updaters installing cryptomining malware on targeted devices.
The notorious updater is actively attacking computers since August and the CPUs are being exploited for mining Monero, a well-known privacy-focused crypto-currency.
“As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version,” said Unit 42 threat intelligence analyst Brad Duncan.
Not only computers, but networks are also potential targets of the fake Adobe Flash updates. The updater infects the system with cryptomining malware apart from updating the Flash installed on the computer in order to evade detection.
Researchers believe it to be an evolved form of cryptojacking and Flash updating, which are two of the most common techniques of launching cyber attacks, since it combines the two attacks in a single package.
As soon as the XMRig bot is installed it leeches out for your computer’s resources to mine for Monero and then places a real Flash update on the system. This is done to prevent the user from suspecting foul play.
Furthermore, by updating the Flash, the attackers want users to believe that nothing is wrong with the system, so that the mining continues. The primary objective of attackers is to ensure that the system keeps on mining for the cryptocurrency, and this is only possible when users don’t suspect anything.
“With an attack like ransomware, you’re going to be in the user’s face. Within a few minutes, you’re going to have their files, you’re going to have a pop-up saying, ‘Hey, I stole your data, you need to pay me money.’ But with cryptomining, you want that computer to keep running your software as long as possible.”
Researchers at Palo Alto Networks were able to identify fake Flash updater while surfing the internet and found Windows executable files bearing the title AdobeFlashPlayer. That’s why, security experts recommend users to always browse cautiously.
When the files were tested on Windows 7 Service Pack 1, the OS showed a warning about the software being unauthentic, which showed that the attackers lacked sophistication. However, users cannot detect that the software is unreliable since it’s been packaged too well to look genuine.
“Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates,” concluded Duncan.
There is no particular indication about the number of affected users, since Palo Alto Networks has only identified 113 instances so far, and they believe the number could be higher. Therefore, it’s difficult to quantify the extent of an impact as yet. Researchers are also concerned that by combining two malicious attacking techniques, attackers have expanded the scope of cryptojacking.