The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.
However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. reads the analysis published by Palo Alto Networks.
These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victims Flash Player to the latest version.
The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that dont belong to Adobe.
The downloads always include the string flashplayer_down.php?clickid= in the URL.
At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.
The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software
Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.
This domain is associated wi...