Threat Management, Threat Management, Malware

‘Flash update’ scam serves up legit software, but with a side of cryptominer

An unusually deceptive "Flash update" scam that installs unwanted programs on infected machines has been attempting to feign legitimacy by displaying pop-up notifications borrowed from the official Adobe installer, as well as by actually installing the latest version of Flash.

A malicious Flash installer using this combination tricks in order to appear credible is "unprecedented as far as I can tell," said Brad Duncan, analyst at Palo Alto Networks' Unit 42 threat research team, in an email interview with SC Media. Duncan detailed the recently uncovered threat in an Oct. 11 company blog post, noting that the campaign typically installs cryptominers such as XMRig.

"Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary," Duncan explains in his post. "Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer."

While the fake updates are downloaded from malicious websites, it is unclear what techniques are driving users to these dangerous URLs, Duncan adds. However, a search for these phony Flash updates did lead Unit 42 researchers to web servers -- unaffiliated with Adobe Systems -- containing 113 Windows executables designed to install SMRig. According to Duncan, some of these executables date back as far as March, although the campaign's adoption of the Adobe pop-up notification seems to be more recent, beginning no later than August.

Duncan said that after infecting his own Windows host machine, he observed the device sending an HTTP POST request to a domain known to be associated with malicious updaters or installers. "This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs," Duncan's blog post states. Fortunately, "Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.