Cybercriminals Use Legitimate Advanced Installation Tool as Weapon in Crypto Mining Attacks
A legitimate Windows tool used to create software packages called Advanced installer has been exploited by malicious actors to drop cryptocurrency mining malware on infected machines since at least November 2021.
“The attacker uses Advanced installer to bundle other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer’s custom actions feature to force software installers to execute the malicious scripts », Chetan Raghuprasad, researcher at Cisco Talos. said in a technical report.
The nature of the applications used by the Trojans indicates that victims are likely to come from the architecture, engineering, construction, manufacturing, and entertainment industries. Software installers mainly use the French language, a sign that French-speaking users are being singled out.
This campaign is strategic as these industries rely on computers with high graphics processing unit (GPU) power for their daily operations, making them lucrative targets for cryptojacking.
Cisco’s analysis of DNS query data sent to the attacker’s infrastructure shows that the victimological footprint extends across France and Switzerland, followed by sporadic infections in the United States, Canada, Algeria. , Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam.
The attacks result in the deployment of an M3_Mini_Rat, a PowerShell script that likely acts as a backdoor to download and execute additional threats, as well as several cryptocurrency mining malware families such as PhoenixMiner and lolMiner.
Regarding the initial access vector, it is suspected that search engine optimization (SEO) poisoning techniques may have been used to deliver fake software installers onto the victim’s machines.
The installer, when launched, activates a multi-step attack chain that removes the M3_Mini_Rat client stub and miner binaries.
“The M3_Mini_Rat client is a PowerShell script with remote administration capabilities that primarily focuses on system reconnaissance as well as downloading and executing other malicious binaries,” Raghuprasad said.
The Trojan is designed to contact a remote server, although it is currently unresponsive, making it difficult to determine the exact nature of the malware that may have been distributed via this process.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
The other two malicious payloads are used to illegally mine cryptocurrencies using the machine’s GPU resources. PhoenixMiner is an Ethereum cryptocurrency mining malware, while lolMiner is a open source mining software which can be used to mine two virtual currencies at the same time.
In another case of legitimate abuse of a tool, Check Point warns of a new type of phishing attack that exploits Google Looker Studio to create fake cryptocurrency phishing sites in an attempt to bypass protections .
“Hackers use it to create fake crypto pages designed to steal money and credentials,” said security researcher Jeremy Fuchs. said.
“That’s a long way of saying that hackers are exploiting Google’s authority. An email security service will look at all of these factors and have high confidence that it’s not an e- phishing email and it comes from Google.”
