Since November 2021, cybercriminals have been exploiting a Windows utility to distribute crypto mining malware, as detailed in a report by Cisco’s Talos Intelligence. The malefactors manipulate the Windows Advanced Installer, a program that aids software developers in bundling other software installers, like Adobe Illustrator, to carry out malicious scripts on compromised systems.
The Targeted Software and the Victims
The software installers affected by this attack are primarily used for 3D modeling and graphic design. Most of the software installers utilized in this malware campaign are written in French, indicating that the victims are likely to be from various business sectors, such as architecture, engineering, construction, manufacturing, and entertainment in French-speaking countries. The analysis suggests that users in France and Switzerland are most affected, with a few cases in other countries, including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
The Modus Operandi
The rogue crypto mining operation identified by Talos deploys harmful PowerShell and Windows batch scripts to execute commands and establish a backdoor on the victim’s machine. PowerShell, in particular, is notorious for operating in the system’s memory rather than the hard drive, making it more difficult to detect an attack.
Upon the installation of the backdoor, the attacker launches additional threats such as the Ethereum crypto-mining program PhoenixMiner, and lolMiner, a multi-coin mining threat. These malicious scripts are executed using the Advanced Installer’s Custom Action feature, which enables users to predefine custom installation tasks. The final payloads are PhoenixMiner and lolMiner, which are publicly available miners that exploit the GPU capabilities of computers.
The Phenomenon of Cryptojacking
The act of using crypto mining malware is referred to as cryptojacking. It involves secretly installing a crypto mining code on a device without the user’s consent to illicitly mine cryptocurrencies. Indications that mining malware might be operating on a device include overheating and underperforming devices. The practice of using malware families to hijack devices to mine or steal cryptocurrencies isn’t a novelty. BlackBerry, the former smartphone giant, recently discovered malware scripts actively targeting at least three sectors, including financial services, healthcare, and government.
In light of these emerging threats, it’s crucial to stay informed and take preventive measures. One way to do this is by using platforms like cryptoview.io, which provide valuable insights into the crypto market and can help users stay abreast of potential risks.
Start now using our tools for free.Remember, the digital world is riddled with potential threats. Stay vigilant, stay informed, and most importantly, stay safe.
