Cryptominers have dethroned ransomware as the top malware threat and cybercriminals are coming up with new ways to keep the mining activity secret from the victims.

One of these includes tricking users into unknowingly downloading and running the mining software via a fake Adobe Flash updater. To keep up appearances, the fake updater uses pop-up notifications from the official Adobe installer.

The campaign

At the start of August, Palo Alto Networks researchers have noticed Windows executables file names starting with AdobeFlashPlayer__ being served from non-Adobe, cloud-based web servers.

They couldn’t discover how potential victims were arriving at the URLs delivering these fake updates, but they could test them.

They discovered that the updater does an exceptional job at impersonating the official Adobe installer and actually also updates a victim’s Flash Player to the latest version. But, in the background, it also installs the XMRig Cryptocurrency miner.

There is an indication that the update might not be legit: Windows does provide a warning about it being from an unknown publisher:

Unfortunately, many users fail to understand and heed such warnings.

“Network traffic during the infection consisted mainly of the Flash update. But my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444,” Palo Alto’s Brad Duncan noted.

Spotting covert cryptomining activity is difficult without security software or software that shows insight into the network traffic going to and from one’s computer. Users may notice that their machine has become more sluggish, but even that clue is often overlooked.

Judging by Palo Alto’s detections, this malware delivery campaign is still going strong. “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates,” Duncan pointed out.