Posted by cageymaru 10:45 PM (CDT)
Thursday October 11, 2018
Fake Adobe Flash installers are infecting computers with malicious programs such as the XMRig cryptocurrency miner. It fools users into thinking the program is legitimate by using genuine Adobe graphics and pop-up screens from the official Adobe installer. It even properly updates Adobe Flash to the latest version on the victim's PC. But it downloads the legitimate Flash update from a compromised server along with cryptocurrency miners that forces the victim's PC to mine Monero.
While searching for these particular fake Flash updates, we noticed Windows executables file names starting with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers. These downloads always contained the string flashplayer_down.php?clickid= in the URL. We found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables. See Appendix A for the full list of the file hashes. Appendix B lists 473 file names and URLs for these fake Flash updates from March 25th, 2018 through September 10th, 2018.