Cryptojacking: Fake Adobe Flash Player Updater Installs Coin Mining Software

Mining malware used for legitimate Adobe notifications, and updates services to infect computers of innocent people, US firm Palo Alto has claimed.

Crypto mining malware has attacked computers by using a fake Adobe Flash Player updater, cybersecurity company Palo Alto said on Thursday. The firm analyzed several files, dated back from March 25 till September 10, Brad Duncan, a computer specialist at Palo Alto explained in a blog post.

The infected downloads installed virtual coin mining software like XMRig, a program for “creating” a Monero (XMR).

“As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version,” Duncan wrote.

“Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary. Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer.”

Infected updates had two common characteristics: file names started with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers; second - the downloads always had the string flashplayer_down.php?clickid= in the URL. The company found 113 files that met both criteria, and additionally 473 that had only the URL characteristic.

Windows gave notification to strange acidity when Duncan installed one of those files on his computer. The message was: “Do you want to allow the following program from an unknown publisher to make changes to this computer?”

“Near the beginning of the traffic, my infected Windows host generated an HTTP POST request to osdsoft[.]com. This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software,” Duncan explained in the post.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

Cryptojacking is a crypto mining malware attack and happens when browsers of innocent people are hacked without their consent to mine cryptocurrencies. It is different from crypto ransomware attacks when hackers infect people computers and want payment in cryptocurrencies or steal digital coin-related data.