Researchers have recently found that fake Flash updates – often used by cybercriminals to push various types of malware – are now installing cryptojacking malware on victims’ computers to mine monero (XMR).
According to a post published by Unit 42’s Brad Duncan, the fake flash updates borrow pop-up notifications from the official Adobe installer, but add malware to them. When users actually go through these updates, they’re also given programs like XMRig, a cryptocurrency miner.
Per Duncan, these fake updates also install Adobe’s real Flash Player, to try to trick victims into believing it was a legitimate update. His post reads:
These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.
While the security researcher notes in most cases these updates aren’t very stealthy, this one is because of it actually does what the user wanted it to do. The researcher noted he found hundreds of fake Flash updates since March, but that the cryptojacking strain has only been around since August.
Cryptojacking is the practice of using someone else’s CPU resources to mine cryptocurrencies without their knowledge. It has been turning into a popular practice among cybercriminals, so much so McAfee Labs revealed cryptojacking cases surged 629% in Q1 of this year.
Further studies found that 59% of businesses in the United Kingdom have, at some point, suffered cryptojacking attacks. Most of these occurred this year, according to respondents.
Fighting Back
The cryptojacking trend has grown so much that various organizations have decided to fight back. Popular web browsers like Opera and Brave added built-in cryptojacking protection months ago, with Firefox following suit last month.
The monero community has condemned the widespread attacks and in response created the Monero Malware WorkGroup, which is set to help provide users with the necessary tools and resources to protect themselves against this type of attack.
Notably, a vigilante botnet targeting cryptojacking malware has also been discovered. The botnet, according to security researchers, searches the web looking for this type of malware so it can then execute kamikaze attacks against it. This attack sees the botnet attach itself to the malware, and then destroy itself with it.