Cryptominers Hide Malware in Flash Updates

Adobe has vowed to stop updating Flash in 2020. That's good news--Flash is often responsible for slow load times, incompatibility with mobile browsers and serious vulnerabilities in otherwise secure PCs. Palo Alto Networks added yet another mark under that last issue by revealing that hackers are hiding cryptocurrency mining software in Flash updates so they can make money using other people's hardware.

Cryptocurrency mining's popularity exploded in 2017 when Ethereum's value skyrocketed. The rush to mine the nascent cryptocurrency had a significant effect on the graphics card market, inspired countless other companies to introduce their own "coins" and basically pushed cryptocurrency back into the public consciousness. With that rise in consumer interest, however, came more efforts to illicitly mine digital money.

These efforts aren't usually very sophisticated and can be easily detected. Palo Alto Networks discovered in August, however, that someone had found a way to hijack legitimate notifications about new versions of Flash to quietly install cryptocurrency mining software like XMRig. The attack also installed the Flash update, leading people to believe everything was hunky-dory even as their systems were being compromised.

Credit: Palo Alto NetworksCredit: Palo Alto Networks

Cryptocurrency mining software can seriously affect a system's performance. That's why many serious miners use dedicated systems, or at the very least run the appropriate mining software when they aren't planning to use a system for anything else. Even if the software hidden in Flash updates is set to use as little resources as possible, however, the fact remains that someone is sacrificing the performance of their victim's PC so they can make money.

The blame here doesn't appear to lie entirely with Flash. Adobe could likely secure the installer better to prevent hijacking its notifications, but the attackers probably targeted Flash simply because it's so popular and is regularly updated. Pretty much everyone has to install Flash, and unless they get one of those notifications, they probably don't think about updating it. That makes it the perfect target for campaigns like this.

Palo Alto Networks said that "organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates." The company has, naturally, also updated its security products to prevent these attacks. In the meantime, Flash users will have to be a little more wary as they count down the days until Adobe lets them out of their misery by finally letting Flash go quietly into the night.

    Your comment
  • rantoc
    Something Adobe not secure? Reeeeally *act shocked*
  • spdragoo
    Which is also one of the reasons why, when the notification pops up after logging onto my PC, instead of clicking that link I go directly to Adobe's site to check for a Flash update.
  • stdragon
    Friends don't let friends use Flash. HTML5 or bust!