Fake Flash Player Installer Embeds Monero Coin Miner, Wreaking Havoc in the Wild
Adobe Flash Player, the erstwhile universal plugin for rich multimedia content on the web is the favorite whipping boy of security professionals for decades. This is because the vulnerable browser plugin is a purveyor of security exploits and widening attack surface of any device it is installed on. It used to be supported on Android devices before version 4.1 Jellybean, but Adobe itself abandoned the port due to security reason. All the while, it is banned from the iPhone since the beginning.
Since then Adobe Flash Player became an unwanted child, although still fully supported as a plugin for browsers under Windows, MacOS and Linux, browsers have started deprecating it to “Click-to-Play” the only plugin instead of automatically running in the background when the browser window is opened.
This week reveals another nail for the Flash Player’s coffin, as Palo Alto Networks’ Unit 42 disclosed that a fake version of Flash Player installer is roaming in the web, first detected in the wild in August 2018. The fake installer bundles a legitimate copy of Adobe Flash Player embedded with the XMRig crytojacking malware, a Monero coin miner. Not all users carefully check all update prompts they receive, and usually just clicks the next button on an install wizard, believing they are installing genuine software.
“This sample generated Adobe Flash installer popup windows and a Flash Player installation. An XMRig Cryptocurrency miner then worked in the background of my infected Windows host. Potential victims will receive warnings about running such downloaded files on their Windows computer. Network traffic during the infection consisted mainly of the Flash update. But my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444,” explained Brad Duncan, Unit 42’s Threat Intelligence Analyst.
Most of the computer users are not technically savvy enough to detect that a coin miner is installed in their machines. The infected computers behave as normal, with all of its programs remain operating without any error nor corruption. The goal of a coin miner malware is to continue mining for Monero coins in the case of XMRig, it is developed to hide from the Windows Task Manager while stealing CPU/GPU cycles in the background.
“I cannot say if Flash version detection was happening in the background, because I only saw the final result. However, different families of malware can profile a system to determine what types of software are on the victim’s host, and consistent URL patterns and file names for these Flash installers indicate they are all the same campaign,” added Duncan.
Adobe itself has set the death date for their used to be ubiquitous Flash Player, in 2020. However, Palo Alto is doubtful if Adobe has the expertise to prevent repackaging of the Flash Player installer by 3rd parties and embedding a malware in it. “Traffic from these fake updates looks the same as legitimate updates from the server side, so I’m not sure how Adobe could block this. Only get Flash updates from Adobe and protect against downloads from unknown/untrusted sites,” Duncan said. “One should not install software provided by an unexpected window/web page that appears during routine browsing, no matter how convincing it may seem,” concluded Duncan.