Posted on October 15, 2018 at 3:02 PM
Another cryptocurrency mining malware was recently identified by a team of researchers at Palo Alto Networks. The new crypt mining bot called XMRig was first noticed circulating the web as a fake Flash updater. According to researchers, over 113 installments of this fake updater have been noticed in the last several months.
The updater is believed to have started attacking computers actively at some point in August of this year. The infected devices have since been used for mining a privacy coin called Monero (XMR). One curious thing regarding the new malware is that it actually does update Flash Player to its latest version, according to analyst Brad Duncan.
Additionally, the fake Adobe is not only targeting individual computers, but also entire networks. It works by infecting the system with a mining malware that updates Flash in order to avoid detection. After that, malware goes on to do what it has been created to do, which is believed to be an evolved form of cryptojacking.
As soon as it is fully installed, it uses the infected device’s resources for Monero mining. Additionally, it places a real Flash update in order to not awake any suspicion from the user. After the Flash actually receives an update, most users believe that everything is in order, and they forget about it. However, the malware is still there, beneath the surface, and it continues to mine Monero.
New mining malware is difficult to detect
According to analysts, this form of an attack is growing increasingly popular, as it is much more subtle than ransomware. which was at its height during 2017. With ransomware, hackers gain control of their victim’s files and demand payment. However, with crypto mining, the computer can be exploited for as long as the attacker wants. Provided, of course, that the malware remains undiscovered.
Palo Alto Networks researchers managed to find the malware through one of their regular internet searches. They came across a Windows .exe file called AdobeFlashPlayer. Considering how unsuspecting this seems, researchers advise extremely careful browsing sessions.
Upon testing the file on Windows 7, the system displayed a warning regarding the unauthenticity of the software. This is a sign that attackers either lack sophistication or that they did not bother to be especially sophisticated while creating the malware. Even so, however, most users likely would not detect that anything is amiss since the package itself looks pretty genuine.
At this point, trying to make an assessment regarding the number of affected users comes down to pure guessing. Researchers were only able to confirm 113 instances, but they believe that the real number is much, much higher than that. If true, this would mean that combining two malicious attacks can significantly expand the scope of cryptojacking.