Cryptocurrency scammers have gotten extra creative and are now hiding mining malware in legitimate updates of Adobe Flash Player.
Researchers from cybersecurity firm Palo Alto Networks discovered a fake Flash updater which has been doing the rounds since early August. While it claims to install a legitimate Flash update, the malicious file sneaks in a cryptocurrency mining bot called XMRig (which mines privacy coin Monero).
The fact the scam actually installs a genuine Flash update serves to distract the user from the deceitful goings-on. Many users may be unaware their CPU is now running at full tilt, mining cryptocurrency for someone else.
What’s going on?
While searching for Fake flash updates, the researchers uncovered 113 instances of files with the “AdobeFlashPlayer” preffix hosted on non-Adobe servers.
Palo Alto Networks believes users are directed to these files via spoof URLs. However, the researchers have not been able to confidently conclude how victims arrive at these URLs in the first place.
Palo Alto Networks tested one of the fake URLs and found that there would be no reason to suspect any foul play: the web traffic, on the other hand, told a different story.
After the URL downloads and installs a legitimate Flash update the mining bot connects to a Monero mining pool, and gets to work.
As is usually the case with cryptocurrency mining malware, the victim’s infected system does all the heavy lifting with no reward. In this case, any mined Monero is redirected to a single wallet.
Sadly, cryptocurrency mining malware and cryptojacking is not a new phenomenon; and yet again Monero is the coin of choice for the scammers.
Some research has suggested over $250,000 of Monero is mined through illegitimate browser-based mining scripts every month.
Last month the Monero community hit out at the hackers using XMR in these types of illegitimate scams. The Monero Malware Response Workgroup is trying to combat the growing number of Monero-based hacks.
Let’s hope the workgroup gets to work on this one pretty swiftly.
Hard Fork has reached out to Adobe for comment, we will update this piece as we learn more.