Experts Warn of Cryptojacking Malware That Mimics Adobe Flash Updates

Published at: Oct. 11, 2018

Researchers have identified cryptojacking malware that conceals itself behind a fake Adobe Flash update. The finding has been revealed in a cyber threat report published by Unit 42 research group on Oct. 11.

Cryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to new research released by Unit 42, Palo Alto Networks' threat intelligence team, the malware strain surreptitiously compels computers to mine Monero (XMR) by installing an “XMRig cryptocurrency miner.”

The new malware is said to be particularly harmful, as the developers have copied the pop-up notification from an official Adobe installer. Moreover, the download really does update targets' computers with the latest version of Flash, further adding to its seeming legitimacy. 

Unit 42 analyst Brad Duncan has stated that:

“In most cases, fake Flash updates pushing malware are not very stealthy… [but in this instance, b]ecause of the latest Flash update, a potential victim may not notice anything out of the ordinary."

Unit 42 reportedly uncovered the strain while searching for “popular” fake Flash updates using AutoFocus, a Palo Alto Networks intelligence tool:

“77.. malware samples are identified with a CoinMiner tag in AutoFocus.The remaining 36 samples share other tags with those 77 CoinMiner-related executables.”

As previously reported, coin miner works by using Coinhive – a JavaScript program created to mine Monero via a web browser. According to Unit 42, samples that deceptively mimic and install an actual Flash update have been in circulation as of August 2018.

Just yesterday, Iran’s cybersecurity authority issued a report that claimed that the highest number of recorded incidents of Coinhive infection have taken place in Brazil;  India came in second, followed by Indonesia.

As reported in September, cryptojacking malware reports are said to have surged almost 500 percent in 2018. According to estimations in June, around 5 percent of the total circulating Monero supply was mined using malware.

Tags
Related Posts
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
Watch Out for This Cryptojacking Botnet That Steals Data From Its Victims
The threat intelligence team at Cisco Systems discovered a new cryptojacking botnet named “Prometei.” This botnet both mines Monero (XMR) and steals data from the targeted system. According to the paper sent to Cointelegraph, the botnet has been active since May. It relies on 15 executable modules to recover administrator passwords from the infected computer. Password validity is verified by sending them to a control server connected to other networks. Once the malware has obtained access to the user’s administrative rights, it proceeds to record all data contained within the system. Cisco Talos estimates this botnet may contain up to …
Technology / July 22, 2020
Cybercriminals Sneak in Crypto Mining Malware via Confluence Software Exploit
Cybercriminals are now reportedly exploiting known vulnerability CVE-2019-3396 in the software Confluence, a workspace productivity tool made by Atlassian, according to a report by security intelligence firm Trend Micro Inc. on May 7. The exploit that has been developed allows cybercriminals to stealthily install and run a monero (XMR) miner on a vulnerable computer, as well as covering up the mining activity by using a rootkit to hide the malware’s network activity and toll on the host’s central processing unit (CPU). According to an Atlassian security advisory, the vulnerability in question only applies to some older versions of Confluence. The …
Altcoin / May 7, 2019
Despite Bear Market, Crypto Mining Malware Tops Threat Index for 13th Month Running
Three strains of crypto mining malware have topped the latest Global Threat Index from Israeli cybersecurity firm Check Point, according to a press release published on Jan. 14. Check Point Software Technologies Ltd. is a security solution provider for governments and enterprises globally, with over 100,000 organizations reported to be currently using its security management system. As reported, stealth crypto mining attacks — also known as cryptojacking — work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Check Point’s Global Threat Index for December 2018, the top …
Altcoin / Jan. 14, 2019
Coinhive Code Found On 300+ Websites Worldwide In Recent Cryptojacking Campaign
The Coinhive crypto mining code has been recently detected on more than 300 government and university websites worldwide, cyber security researcher Troy Mursch reported Saturday, May 5. According to the report, all the affected websites are using a vulnerable version of the Drupal content management system. As the researcher posted on Twitter May 4, he was alerted to this particular campaign via the attack on the websites of the San Diego Zoo, and the government of Chihuahua, Mexico. Both websites reportedly had Coinhive injected into their Javascript libraries in the same way. Coinhive is a JavaScript program created to mine …
United States / May 8, 2018