A cryptocurrency mining malware is disguised as a Flash update that appears to be legitimate, warn researchers
Cryptomining popularity exploded in 2017 when Ethereum’s value soared to unsuspected levels. The rush to exploit this opportunity area had a significant effect on the graphics card market, inspiring countless companies to launch their own virtual assets, which turned them into a public domain issue. However, with that increase in consumer interest, it also increased the interest of malicious hackers for illicitly exploiting the digital assets market.
Digital forensics investigators have discovered groups of cybercriminals that use false (but incredibly similar to legitimate ones) Adobe Flash updates to distribute mining malware to extract Monero.
Regularly these fake Flash updates are usually poorly crafted, so users with normal knowledge can easily detect them. Now, a campaign that emerged last August is using pop-up notifications taken from the official Adobe installer, according to the digital forensics team in charge of the investigation.
In addition to installing the mining software known as XMRig, this malware can also update the victim’s Flash Player to the latest version, making it look legit.
As a result, victims are less likely to notice something unusual because the fake update works normally, although the miner XMRig or any other unwanted program is stealthily executed in the background.
However, the researchers mentioned that during the attack, potential victims will receive warnings about the execution of unknown files in their Windows operating system, so that users must remain alert when they encounter one of these security alerts.
According to specialists in digital forensics from the International Institute of Cyber Security, 5% of all Monero units in circulation have been obtained through malicious software installations, while in the first six months of the 2018, the illegal cryptocurrency mining increased by 629% over the same period last year.
The researchers discovered this campaign when they realized that Windows executables whose names started with adobeFlashPlayer came from cloud-based servers, and were not owned by Adobe. Researchers were able to find 113 malware samples since March 2018. More than two-thirds of these malware samples were identified as mining software, and the remaining samples had some characteristics related to this activity.
While this campaign uses legitimate activity to hide the distribution of mining software, organizations with adequate security measures are at lower risk of being attacked in this way.