Online criminals have frequently distributed their malware attacks as fake updates for Adobe Flash.

Security-savvy computer users haven’t found such attacks difficult to spot and know to only get updates to Adobe Flash Player from the company’s own website.

A new wave of attacks, however, has added a twist to the traditional malware attack disguised as an update to Adobe Flash Player by actually updating Adobe Flash… for real!

Have malicious hackers had a surprising change of heart? Have online criminals replaced avarice with altruism?

Sadly not, because although a fake Adobe update is really updating Adobe Flash, it is also sneakily installing cryptomining code onto the Windows computers of its unsuspecting victims.

Security researchers at Palo Alto Networks published details of how XMRig cryptomining code has been installed under the cover of fake Adobe Flash updates. Fake Flash updates that borrow genuine pop-up notifications from the official Adobe installer do indeed update their victim’s Flash Player installation.

Of course, a user is less likely to suspect that an Adobe Flash update was bogus if their installation of Adobe Flash really is brought up-to-date. But that’s not to say there are no clues that the installer is not the one approved by Adobe.

One warning sign, for instance, is that the bogus installer has not been digitally signed by Adobe, which causes Windows to pop up a warning that the user is about to run code from an unknown publisher.

Unfortunately, many users may ignore the warning and grant permission for the program to execute regardless, causing the Adobe Flash installation to be updated and XMRig cryptomining code to be installed.

In tests conducted by Palo Alto’s Brad Duncan, an infected Windows computer soon began to generate network traffic over TCP port 14444 associated with XMRig mining code in an (Read more...)