New UpdateChecker Coinminer Package Also Displays Ads to Further Piss You Off

[LASER_oneXM]

These days it is not uncommon to find both adware and miners being installed together through adware bundles. These programs, though, are typically not created by the same developer and are just being included as different "offers" by the software monetization company.

After examining a new malware sample that was sent to BleepingComputer, I discovered that a new malware called "UpdateChecker" not only includes a miner, but also includes an adware component that displays a popup ad every 60 minutes.

UpdateChecker being distributed as a Adobe Flash Player update
While I have not been able to find the site that actually pushes this malware, based on the "update_flash_player----3006603784----33362_ac4-461___.exe" name of the main installer, it's clear that it is being distributed as a fake update to Adobe Flash Player.

It has become more and more common for fake Adobe Flash update sites to be created that push malware and JS script downloaders onto unsuspecting users. These users then run the executables thinking it's a Flash Update, but will have malware installed on their computer instead.

An example of what one of these fake Flash Update sites look like can be seen below.

Fake Flash Update Site

Fake Update installs a adware and miner package

When this particular fake Flash Player update is installed, it will connect to the fup.host site and download a zip file that contains the adware and miner malware package. This package is then unzipped into the %UserProfile%\AppData\Local\Microsoft\WindowsUpdate\ folder as shown below.