“In most cases, fake Flash updates pushing malware are not very stealthy. In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware. If a victim runs such poorly-disguised malware on a vulnerable Windows host, no visible activity happens, unless the fake updater is pushing ransomware,” Palo Alto Networks explains.
“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version,” Palo Alto Networks added.
What’s tricky here is that by including a legitimate Flash update, it’s easier to trick potential victims into thinking that everything went smoothly, even though a cryptocurrency miner is running in the background and stealing system resources.
The security firm said it had discovered 113 examples of malware that use this technique in past half year in AutoFocus. Around two-thirds of those were identified with a CoinMiner tag, while the remaining samples share other tags with those same CoinMiner-related executables.
What’s less clear is how exactly victims are arriving at URLs serving up the malicious Flash updates. Regardless, anyone still using Flash should be wary of pop-ups trying to push an update.