Hiding malicious packages in update installers is nothing new. Cyber criminals exploit users’ ignorance/gullibility by hiding malware inside seemingly legitimate update packages. We are more familiar with seeing such disguised malware with just one purpose; to take over the user’s system after being installed. Usually, when run, the typical fake update installer will silently install the malicious payload and show no other visible activity.
These recent type of fake updaters use pop-up notifications from the legitimate Flash installer, in an attempt to appear legitimate. Said fake Flash update installers, while updating the victim’s Flash Player will concurrently install an XMRig cryptocurrency miner. Since the malware is installed in the background, the user will not notice anything suspicious.
Researchers investigating the fake Flash updater noticed their Windows executables file names began with AdobeFlashPlayer and also evidently came from a non-Adobe source. An infected Windows computer started to generate network traffic over TCP port 14444, a port associated with XMRig mining code in an brazen attempt to start mining the Monero cryptocurrency. During the mining process, infected computers begun to operate in a speed slower than usual, owning to the fact that the cryptominer eats processing power.
Windows users should be careful over how they dish out permissions to install software. In this case, the popup windows which appeared showed that it came from an “unknown publisher”. This was a telltale sign that the installer came from a non-Adobe source.
To conclude a blog post highlighting the attack trend, Palo Alto’s Brad Duncan‘s said: “This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs. Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”
It is advised to only download updates from the actual software company website, and to trust nothing coming from an external source.