At least for the time being, it looks like the mad rush to buy graphics cards for cryptocurrency mining and leave gamers with overpriced options is in the rear view mirror. That doesn't mean cryptocurrency mining doesn't still present an annoyance in some sectors, though. Security researchers warn that cryptocurrency malware is currently hiding in a fake Adobe Flash update that is making the rounds.
Adobe Flash can't disappear fast enough. In the meantime, it continues to present security issues, sometimes directly through discovered vulnerabilities, or in this case preying on the vigilance of users who aim to keep it updated to prevent the very sort of thing caused by the fake and malicious update that is infecting some PCs.
"In most cases, fake Flash updates pushing malware are not very stealthy. In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware. If a victim runs such poorly-disguised malware on a vulnerable Windows host, no visible activity happens, unless the fake updater is pushing ransomware," Palo Alto Networks explains.
"However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version," Palo Alto Networks added.
What's tricky here is that by including a legitimate Flash update, it's easier to trick potential victims into thinking that everything went smoothly, even though a cryptocurrency miner is running in the background and stealing system resources.
The security firm said it had discovered 113 examples of malware that use this technique in past half year in AutoFocus. Around two-thirds of those were identified with a CoinMiner tag, while the remaining samples share other tags with those same CoinMiner-related executables.
What's less clear is how exactly victims are arriving at URLs serving up the malicious Flash updates. Regardless, anyone still using Flash should be wary of pop-ups trying to push an update.