Flash Updater Adds Cryptocurrency Miner

What Is It?

Adobe has set the official end of life date for its frequently exploited Flash software at the end of 2020.

This date cannot come soon enough. Despite a significant reduction in its use, Flash continues to be regularly exploited by attackers. In the most recent case, as detailed by researchers from Palo Alto Network’s Unit42 team, unofficial Flash updaters have been installing cryptocurrency miners on user’s machines. For users who make use of cryptocurrency on their devices, this can become a very costly form of attack.

Fake Flash updaters have long been used by attackers to distribute various types of malware. However, in this case, observed potentially as early as March 2018, the Flash update is legitimate, Yet it additionally installs a cryptocurrency miner, usually a variant of XMRig, a Monero cryptocurrency miner.

The researchers found 437 URLs used to distribute these fake updates between March and September 2018, always including the string “flashplayer_down.php?clickid=” in the URL. The researchers had no information regarding how the URLs were distributed or presented for their intended victims to click on. When the fake Flash updater was executed, it caused Windows to display the normal warning message about allowing a program from an unknown publisher to make changes to the system. It is likely that many users would not pay much attention to this message and allow the malware to run. Many users would also likely not be suspicious, given their Flash software does get updated to the latest version.

Adding malware to a copy of a legitimate software updater is certainly not unique to this campaign, but it is an uncommon approach, though likely a highly successful one for the attackers.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The researchers did not have any data regarding the attack vector used to distribute the URLs containing the fake Flash updater. The most common likely attack vectors would be malicious spam emails containing the links or pop-up windows containing the links added to legitimate websites. In either case there would be a degree of social engineering required in order to convince potential victims to click on the links.

When/How Did BluVector Detect It?

There were 110 publicly available samples listed in the research and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown these samples would have been detected an average of 46 months prior to their release.

All Threat Reports