Palo Alto security experts alerted of a fake Adobe Flash update hiding a miner that works as a legitimate software update. According to the researchers, the fake Adobe Flash update was used as a vector for a malicious cryptocurrency miner.
The fake update has been actively used in a malware campaign since this summer. It updates the victim’s software by borrowing the code from the legitimate update and downloading an XMRig cryptocurrency miner on the Windows systems.
“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” the Palo Alto analysis states.
“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”
The fake updates use file names starting with AdobeFlashPlayer hosted on cloud-based web servers which don’t belong to Adobe. The malicious downloads include the string “flashplayer_down.php?clickid=” in the URL.
At this point, no details on the way hackers were spreading the URLs delivering the fake Adobe Flash update are revealed.
The domain is related to other updaters or installers pushing cryptocurrency miners and other unwanted software.
According to the analysis of the network traffic, the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. The domain was associated with updaters or installers that push cryptocurrency miners.
“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” the report reads.
“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”
The experts at Palo Alto Networks point out that potential victims will keep receiving warning messages about running downloaded files on their Windows computers.
“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” the analysis concludes.
“Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.