Hackers Exploit Windows Tool to Deploy Crypto-Mining Malware

Hackers have been exploiting a widely-used Windows-based software packaging tool to distribute crypto-mining malware, according to a report by IT security firm Cisco Talos Intelligence Group.

The hackers have leveraged a Windows utility known as Advanced Installer to infiltrate computers with crypto-mining malware. 

This method allows them to bundle malicious code with legitimate software installers from popular tools like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro.

These software tools are primarily used for 3-D modelling and graphic design, and notably, they are frequently used in French-speaking regions.

Once infected, the compromised computers, often belonging to graphic designers, possess powerful Graphics Processing Units (GPUs) ideal for crypto mining. 

The attackers utilize these GPUs to mine cryptocurrencies on their behalf.

The attack campaign is believed to primarily impact sectors such as architecture, engineering, construction, manufacturing, and entertainment, as the hackers specifically target software installers related to 3-D modelling and graphic design. 

The motivation lies in the fact that robust GPUs are crucial for efficient cryptocurrency mining.

Persistent Threat Since November 2021

Cisco Talos Intelligence Group’s report reveals that this crypto mining campaign has been active since at least November 2021. 

Victims of these attacks are spread across the globe, with a notable concentration in France and other French-speaking regions.

Once a computer is compromised, it becomes a part of the attackers’ crypto-mining network. 

The hackers deploy a tool called M3_Mini_Rat, which enables them to download and execute two different cryptocurrency mining malware:

1. PhoenixMiner: This miner specializes in Ethereum mining, making use of the computer’s GPU capabilities.

2. lolMiner: This is a multi-coin mining malware that can target various proof-of-work (PoW) cryptocurrencies that are GPU-mineable. Ethereum Classic (ETC) and Monero (XMR) are among the prominent cryptocurrencies that fit this description.

Notably, Bitcoin (BTC) is generally mined using more specialized machines known as ASICs (Application-Specific Integrated Circuits).

The geographical impact of this campaign extends beyond France, with victims identified in countries including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. 

The findings are based on DNS request data sent to the attacker’s command and control host.

The Stealth of PowerShell

The hackers use a variety of techniques to maintain the stealth of their operations. 

They utilize PowerShell and Windows batch scripts for executing commands and establishing a backdoor on the compromised machines. 

PowerShell, in particular, is known for running in the system’s memory rather than on the hard drive, making it harder to detect.

The deployment of crypto-mining malware without the user’s consent or knowledge, often referred to as crypto-jacking, remains an ongoing cybersecurity concern. 

Signs of such malware operating on a device include overheating and reduced device performance.

NB: Any Information provided is NOT FINANCIAL ADVICE. Do Your Research before making any Financial Decisions.