Fake Adobe Flash Updates Hide Malicious Crypto Miners (Oct 11, 2018)
Unknown threat actors have launched a new fake Adobe Flash player update that installs the cryptocurrency miner, XMRig. It is not known how victims are being directed to the URLs serving the fake updater. When the fake Adobe Flash updater is executed, it first starts the cryptominer, then it executes a legitimate Flash updater borrowed from Adobe and accompanying browser pop-ups. The miner runs in the background and is able to run undetected. A user may be able to detect the miner if he/she does a thorough run-through of the files in the update where they will see Windows executable files with “AdobeFlashPlayer” names from non-Adobe web servers.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature in Windows operating systems is a good mediation step to ensure that your company is always using the most recent version. Use a good web filtering service to ensure that unwanted and/or illegitimate updates are filtered out.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.