Fake Adobe Flash Updater Installs Crytocurrency Miners


Fully [H]
Apr 10, 2003
Fake Adobe Flash installers are infecting computers with malicious programs such as the XMRig cryptocurrency miner. It fools users into thinking the program is legitimate by using genuine Adobe graphics and pop-up screens from the official Adobe installer. It even properly updates Adobe Flash to the latest version on the victim's PC. But it downloads the legitimate Flash update from a compromised server along with cryptocurrency miners that forces the victim's PC to mine Monero.

While searching for these particular fake Flash updates, we noticed Windows executables file names starting with AdobeFlashPlayer__ from non-Adobe, cloud-based web servers. These downloads always contained the string flashplayer_down.php?clickid= in the URL. We found 113 examples of malware meeting these criteria since March 2018 in AutoFocus. 77 of these malware samples are identified with a CoinMiner tag in AutoFocus. The remaining 36 samples share other tags with those 77 CoinMiner-related executables. See Appendix A for the full list of the file hashes. Appendix B lists 473 file names and URLs for these fake Flash updates from March 25th, 2018 through September 10th, 2018.
This has been known for quite some time. The fake adobe updater/installer viruses.
Who the hell is still using Flash for anything? They get what they deserve, as far as I am concerned.
XMRig isn't malicious if you actually want to mine CryptoNight coins anyway. Just if you didn't ask for it.
IIRC, years ago the legitimate Adobe installer had a nasty habit of installing extra software if you weren't very careful in either checking or unchecking certain boxes. Guess some things don't change much.
Installing Flash-anything from an unknown publisher (<== key words) is dangerous in of itself. Best to get any Flash Update directly from Adobe and nowhere else.