XMRig cryptominer installs on the system as the Flash updater

by Linas Kiguolis - - 2018-10-12

Fake Adobe Flash Updater secretly installs an infamous XMRig cryptominer

Monero miner distributed via fake Flash updates XMRig monero miner was distributed using Adobe Flash updater.

The fake Abode Flash updater has recently been found distributing an infamous crypto mining^[1] malware called XMRig.^[2] The virus is set to start working in the background of the infected device while fake Flash updates are used to distract the victim's attention by displaying pop-up notifications from the official Adobe installer.

Typically, victims do not notice anything because malware creators disguised their fake Flash updater quite good by using official updates from Adobe servers. In the meanwhile, the XMRig cryptominer runs in the background and uses the resources of the device to generate cryptocurrency.

According to researcher Brad Duncan,^[3] malicious URLs have been used since March 2018. Paloalto's Unit 42 team has already discovered 113 malware samples and 473 different file names which were used to distribute fake Flash updates filled with XMRig Monero cryptocurrency miner.

The security researcher Duncan said in his analysis:

While searching for these particular fake Flash updates, we noticed Windows executables file names starting with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers. These downloads always contained the string flashplayer_down.php?clickid= in the URL.

Monero miner uses 100% CPU's resources while installing real Flash updates

Besides adding the crypto mining malware to the system, the fake Adobe Flash updater downloads needed updates for the player. Adding actual Flash update functionality made this malware look legitimate. Samples of the Flash updater impersonator were discovered back in August 2018:

This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs. Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Brad Duncan also says that, in recent years, these fake Flash updates have started to be more dangerous because they can be filled not only with the information-stealing malware, but also ransomware, cryptojackers, and similar threats. Previously, these intruders had been using poorly tacts, so people declined them before they managed to infiltrate the system.

2018 —the rise of cryptocurrency miners

During the recent year,s ransomware competes with crypto mining malware in the most popular and dangerous malware category.^[4] In 2018, cryptojacking has become almost five times more popular than it was previously.

This can be explained by a simple fact – cryptominers help hackers profit from people without direct contact. They silently run in the background and do not require ransoms or do not collect illegal fees from the victim.

As a result, during the recent years, Bitcoin or Monero miners have gained huge amounts of money. Brazil seems to be at the top – according to recent claims, Coinhive^[5] miner has affected more than 81 000 devices.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Cryptojacking - computers secretly mining cryptocurrencies?. Bitcoinexchangeguide. Blockchain news.
^ Lucia Danes. XMRig is a crypto-mining Trojan that exploits CPU resources to earn Monero fractions. 2-spyware. Security and spyware news.
^ Brad Duncan. Fake Flash updaters puch cryptocurrency miners. Paloaltonetworks. Research center.
^ Jay Kelley. Ransomware vs. cryptojacking. Darkreading. Cyber security news.
^ William Suberg. Brazil tops list of cryptojacking Coinhive victims, Iranian cybersecurity authority warns. Cointelegraph. Bitcoin & Ethereum blockchain news.