An unusually deceptive “Flash update” scam that installs unwanted programs on infected machines has been attempting to feign legitimacy by displaying pop-up notifications borrowed from the official Adobe installer, as well as by actually installing the latest version of Flash.
A malicious Flash installer using this combination tricks in order to appear credible is “unprecedented as far as I can tell,” said Brad Duncan, analyst at Palo Alto Networks’ Unit 42 threat research team, in an email interview with SC Media. Duncan detailed the recently uncovered threat in an Oct. 11 company blog post, noting that the campaign typically installs cryptominers such as XMRig.
“Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary,” Duncan explains in his post. “Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer.”
While the fake updates are downloaded from malicious websites, it is unclear what techniques are driving users to these dangerous URLs, Duncan adds. However, a search for these phony Flash updates did lead Unit 42 researchers to web servers — unaffiliated with Adobe Systems — containing 113 Windows executables designed to install SMRig. According to Duncan, some of these executables date back as far as March, although the campaign’s adoption of the Adobe pop-up notification seems to be more recent, beginning no later than August.
Duncan said that after infecting his own Windows host machine, he observed the device sending an HTTP POST request to a domain known to be associated with malicious updaters or installers. “This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” Duncan’s blog post states. Fortunately, “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”