Until recently, fake Flash Player updates designed to spread malware have typically been rather clunky and lacking in “stealth,” says Brad Duncan, a threat intelligence analyst and writer for the cybersecurity firm Palo Alto Networks.
“In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware.”
More recent versions of such malware, have “implemented additional deception” by giving with one hand and then taking with another.
According to Duncan, newer sneaky Flash malware trojans are first providing a genuine Flash Player update (complete with engrossing installer-progress screens) before they quietly slip Monero crypto-mining malware onto a system through a backstage door:
“As early as August 2018, some (malware) samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer…(and) can also update a victim’s Flash Player to the latest version…(A) potential victim may not notice anything out of the ordinary. Meanwhile, an XMRig (Monero) cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer.”
According to Duncan, since March 2018, researchers at Palo Alto Networks have used their proprietary threat intelligence platform and software AutoFocus and other forensics to unearth 113 examples of AdobeFlashPlayer-impersonating malware using AdobeFlashPlayer__ and flashplayer_down.php?clickid= in the URL.
As well, a chart from Palo Alto shows a possible 20-40x increase in the the number of extra-deceptive fake Flash Player downloads now available and detected by the firm since March.
While Duncan found that much of the initial activity on his lab computer involved processing the legitimate update, “my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444. The Monero wallet used for this miner was:
Proper education and security tools, concludes Duncan, are in order. “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates,” he writes.