A new cryptocurrency mining campaign has been uncovered taking extra steps to masquerade as Adobe Flash Player installers. This campaign was heavily distributed from late July until the end of September. In the new campaign, the fake Flash Player Trojan will install an XMRig miner and will update the installed Flash Player. This real Adobe Flash installer was downloaded by the Trojan from Adobe’s website. Because the trojan upgrades the installer, it makes the victim less suspicious and adds more legitimacy that the trojan is a real Adobe installer. According to researchers, “The installers caused traffic behind the scenes to retrieve the official Adobe Flash player from Adobe servers. They worked very similar to an actual Flash installer.” While the Flash Player is being updated, a miner is being installed and started without knowledge to the victim. Once the miner is started, it will connect to a mining pool (xmreu1.nanopool.org) and use almost 100% of the CPU to mine Monero cryptocurrency. Users are advised to only download Adobe updates directly from Adobe’s website.
