In recent times, cybercriminal activities exploiting legitimate tools have surged, posing severe threats to industries reliant on high Graphics Processing Unit (GPU) power. This article delineates the exploitation of the Advanced Installer tool, a sanctioned Windows utility, which has been manipulated by cybercriminals since November 2021 to spread cryptocurrency-mining malware. We will delve deep into the intricacies of this campaign, including the tactics deployed and the malware involved, providing a comprehensive understanding of this ongoing threat.

Overview of the Exploitation of the Advanced Installer Tool

The Advanced Installer tool, primarily used to create software packages and installers, has unfortunately become a weapon in the hands of cybercriminals. These criminals ingeniously package malicious scripts with popular software installers like Adobe Illustrator and Autodesk 3ds Max, utilizing the Custom Actions feature within the Advanced Installer to execute these scripts surreptitiously. The victims are primarily from industries that require high GPU power, notably in French-speaking nations. Through the course of this article, we will unpack the various components and stages of this cyber attack.

Technical Aspects of the Campaign

The attackers, demonstrating deep technical acumen, Trojanize renowned software installers, inserting malicious scripts seamlessly without alerting users during the installation process. These scripts, when executed, grant the attackers elevated privileges on the victim’s system, thereby converting these systems into cryptocurrency-mining hubs.

Targeted Software and Industries

The primary industries at risk are those involved in 3-D modeling and graphic design which necessitate powerful GPUs. These include sectors like architecture, engineering, construction, manufacturing, and entertainment. The Trojanized software installers are predominantly in French, hinting at a concentrated attack on French-speaking users, particularly those in France and Switzerland.

Understanding the Malware Components

The attack uses a multifaceted payload comprising the following components:

  • M3_Mini_Rat: This is a PowerShell script endowed with remote administration functionalities, effectively acting as a backdoor within the system. It is capable of system reconnaissance and can initiate the download and execution of other malicious binaries.
  • PhoenixMiner: Specialized in mining Ethereum, this cryptocurrency-mining malware is a critical component in this attack.
  • lolMiner: A versatile open-source mining software capable of mining various virtual currencies simultaneously.

This choice of malware aligns with the attackers’ intent to utilize the victims’ GPU power for cryptocurrency mining.

Geographic Spread and Delivery Mechanisms

A critical aspect of understanding this cyber-attack is examining the geographical footprint of the victims. Predominantly, the victims are situated in France and Switzerland, with isolated incidents reported in several other countries, including the U.S., Canada, and Germany. It is believed that search engine optimization (SEO) poisoning techniques are deployed to circulate the rigged software installers.

Analyzing the Attack’s Footprint and Victimology

An analysis of DNS request data highlights the expansive geographical footprint of this attack. Not confined to French-speaking regions, sporadic infections have been noted globally, indicating a potential escalation in the campaign’s scale. The use of SEO poisoning tactics, manipulating search engine results to direct users towards malicious downloads, has exacerbated the situation further.

Delving into Malware Functionalities

As we delve deeper, it is vital to understand the functionalities of the malware components involved:

  1. M3_Mini_Rat: Possesses capabilities like system reconnaissance and the execution of additional malicious binaries, although it seems to occasionally encounter unresponsive servers during its operation.
  2. PhoenixMiner: This malware is specifically designed for mining Ethereum, leveraging the GPU power of the victim’s system to mine the cryptocurrency effectively.
  3. lolMiner: This software stands out for its versatility, enabling the concurrent mining of multiple virtual currencies, thus optimizing the exploitation of the victim’s resources.

Conclusion

The exploitation of the Advanced Installer tool by cybercriminals marks a significant concern in the cybersecurity domain. As these criminals continue to hone their skills, industries requiring substantial GPU power are finding themselves at an increased risk. Through a comprehensive understanding and analysis of these attacks, it is possible to develop strategies to mitigate these threats and safeguard vital industry assets and data. By remaining vigilant and informed, we can strive to curtail the spread of such malevolent campaigns and protect the integrity of our digital landscape.

Also Read: