Fake document file installs Adobe Flash Update with a Cryptominer
The SonicWALL Capture Labs Threat Research team has come across another Trojan that disguises itself as a legitimate application update file but installs a cryptominer in the background. This Trojan appears to arrive as a fake PDF file posing as an important document. And to mislead its victim, it will actually install a legitimate copy of Adobe Flash Player.
Infection Cycle:
This Trojan arrives as a fake document and may use names such as the following:
- RFQ_4872839.pdf.exe
- Quotations234503.pdf.exe
- NEW RFQ PDF.exe
- ORDER COMFIRMATION.pdf.exe
Upon execution it makes a DNS query to savasoffer.tk.
And immediately after this, the Trojan downloads a flash updater file from osdsoft.com followed by downloading another Trojan downloader which then installs a cryptominer.
The downloaded files are then saved within the %APPDATA% directory.
- %APPDATA%/Microsoft/explorer.exe (Adobe flash updater file)
- %APPDATA%/Microsoft/DBUpdater.exe (Trojan downloader file)
A window showing the Adobe Flash update installation progress will then popup.
While the Trojan downloader file executes and downloads an installer of XMRig, a Monero CPU miner and silently installs it into the victim’s machine.
SonicWall Capture Labs provides protection against this threat via the following signatures:
- GAV: MalAgent.J_55070 (Trojan)
- GAV: Injector.A_768 (Trojan)
- GAV: XMRig.XMR_3 (Trojan)
