NBC News reported this week on a Palo Alto Networks blog post that revealed an effort by some cryptojackers to use a fake Adobe Flash update to install cryptocurrency miners on computers. The cybersecurity company announced the findings on Thursday, and confirmed that the malware used to execute the cryptojacking is far more deceptive than most fake Flash updates
According to the post, most fake Flash updates are far less stealthy than the one recently discovered by the company. “In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware,” the post notes. “If a victim runs such poorly-disguised malware on a vulnerable Windows host, no visible activity happens, unless the fake updater is pushing ransomware.”
The recently-discovered fake update apparently does a better job imitating the real update software. Palo Alto Networks reports that these fake updates do more than just install hidden cryptocurrency miners:
As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.
Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary. Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer.
Other cybersecurity experts have also noticed an increase in website hacks and an uptick in hackers’ attempts to steal computer users’ computing power. McAfee chief scientist Raj Samani told NBC,
"This is not unique to this update. We are seeing many websites get hijacked and very authoritative websites we visit regularly are unwittingly consuming visitor resources for the benefit of criminals.”