A new large-scale campaign against computer users worldwide has been uncovered to plant cryptocurrency miners via a fake Adobe Flash Update. The security report indicates that the criminals have shifted the tactic of distributing ransomware to cryptocurrency miners using this malicious method. The extensive security report describes how this new approach is being used to cause thousands of infections worldwide.
Cryptocurrency Miners Distributed Through Fake Adobe Flash Update
Cryptocurrency miner are one of the most common virus infections of late. Many security reports indicate that there is large interest in their deployment as every successful infiltration leads to direct income generation for the malware operators. The attacks abusing this method appear to have started back in August 2018 where malicious sample that impersonate Adobe Flash updates. This particular campaign has been found to borrow the actual pop-up notifications used by Adobe. When they are installed by the users this will place a malicious script installing the XMRIG Monero miner. It will use a hacker-made configuration file which will take advantage of the available system resources to carry out complex calculations. When they are reported the Monero cryptocurrency will be awarded to the hacker operators.
The malicious files are of the type AdobeFlashPlayer__ Warning signs of the fake Adobe Flash Update miner strains are the following:
- Non-valid Names — The use of special characters, numeric versions and other symbols that can be a warning of potential threats.
- UAC Window Prompts — When opening the files under the Publisher value the malicious entry will read “Unknown”.
- Fake Sites Addresses — The hackers can construct fake vendor sites, landing pages and etc. Security certificates can also be crafted to make the users believe that they are navigating to a safe site.
Following the cryptocurrency miner infection the local client will first communicate with a hacker-controlled server to report the new slave host. In certain situations this can also lead to other infections. This means that such instances can allow for a target computer or network to experience a combined malware delivery. Trojan and ransomware samples are very likely to be distributed using such methods. The reason for this is the fact that as the malicious script has already achieved administrative privilege (via the UAC window) the associated malware infection will be installed to a system folder and can hook up to any operating process.
This leads us to believe that other popular software may be targeted in future campaigns. Computer users are advised to be very careful when installing or updating their software and to always remain vigilant for any potential warning signs of fake installers.