This cryptojacking mining malware pretends to be a Flash update

Cryptojacking crooks hide mining malware in what looks like a legitimate software update.
Written by Danny Palmer, Senior Writer

Crooks are attempting to spread their cryptojacking malware to unsuspecting victims by disguising it as an update for Flash.

This particular mining operation is thought to have been operating since August this year with a big spike in activity in September and looks to trick potential victims into downloading an XMRig cryptocurrency miner -- the malicious software runs in the background and secretly uses the power of the infected PC to acquire Monero for the hackers.

The fake Flash updater campaign has been detailed by researchers at Palo Alto Networks who uncovered it when looking for Windows executables file names starting with 'AdobeFlashPlayer__' from non-Adobe, cloud-based web servers.

The fake updaters are delivered to victims via web pop-up windows and use authentic-looking branding to increase the chances of a download.

If a victim clicks through to the download the user gets a warning about installing software from an unknown publisher -- something that should be a security red flag. But if this warning is ignored, the cryptocurrency miner is secretly downloaded onto the system, with nothing in the way of prompts to give away that this action is taking place.

SEE: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

In addition to delivering the miner, the installer also downloads an actual Flash Player update from Adobe and uses actual windows from real installations, ultimately leading the user to a page that thanks them for installing Flash Player.

"This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs," said Brad Duncan, threat intelligence analyst at Palo Alto Networks.

Once active on the system, the miner exploits the processing power of the machine to mine for Monero and delivers all the gains into a cryptocurrency wallet.

It's highly likely that the user will never suspect their system has been compromised, as miners are designed to secretly operate in the background -- and it isn't in the interest of the miner to reveal themselves, as that will risk their scheme being shut down.

Cryptojacking attacks have become so popular with cyber criminals they've surpassed ransomware as a means of making profit and it's thought that one in three organisations has fallen victim to mining malware at some point.

Users can attempt to avoid falling victim to mining malware by ensuring that they only download files from trusted sources.


Editorial standards