Cybercriminals have been on a prolonged spree since November 2021, employing a crafty Windows tool to spread cryptocurrency-mining malware. A recent analysis by Cisco’s Talos Intelligence has exposed the sinister plot, wherein these attackers have set their sights on an unsuspecting group of graphic designers and 3D modeling experts.
The exploitation of the Windows Advanced Installer, a legitimate application used by developers to package various software installs, including well-known ones like Adobe Illustrator, lies at the center of this malicious operation. The Cybercriminals exploit this tool with the intention of carrying out malicious script execution on infected personal computers.
Interestingly, most of the compromised software installers are written in French. This suggests that the malevolent actors are casting their net over various business sectors, including architecture, engineering, construction, manufacturing, and entertainment in French-speaking regions.
While the attacks predominantly strike users in France and Switzerland, they have made their presence felt across the globe, touching nations like the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. This information is based on DNS request data sent to the Cybercriminals command and control host.
The malicious campaign orchestrated by Talos involves the deployment of potent PowerShell and Windows batch scripts. These scripts establish a discreet backdoor in the victim’s machine, with PowerShell’s memory-based operation making detection challenging.
Cybercriminals are Mining Crypto From Victims’ Computers
Once the backdoor is in place, the attackers trigger a barrage of threats. Among them is the Ethereum crypto-mining program known as PhoenixMiner, along with lolMiner, a versatile multicoin mining threat. These scripts are cunningly concealed within the guise of Advanced Installer’s Custom Action feature, designed to facilitate custom installation tasks.
Meanwhile, PhoenixMiner and lolMiner harness the computational power of GPUs from AMD, Nvidia, and Intel. PhoenixMiner focuses on Ethash-based cryptocurrencies, while lolMiner supports multiple protocols, enabling simultaneous mining of different cryptocurrencies similar to how mining pools operate but with only the hacker to profit.
This sinister act of employing mining malware without user consent, often referred to as crypto-jacking, operates covertly, leaving signs such as overheating and sluggish device performance. This campaign is but one example of a growing trend where attackers seek to mine or steal cryptocurrencies.
As we battle with emerging cyber dangers, this finding serves as an important reminder of the necessity for awareness and effective security measures. Professionals who engage in 3D modeling and graphic design must exercise caution at all times to safeguard their valuable creations and computing assets from these relentless cybercriminals.
