Hackers Exploit Windows Tool to Distribute Cryptocurrency-Mining Malware Worldwide
Summary:
Hackers have been infecting machines with cryptocurrency-mining malware through a Windows tool called Advanced Installer since November 2021. The attackers exploit the tool to execute malicious scripts on targeted devices, mainly used for 3D modeling and graphic design. The campaign predominantly affects users in France and Switzerland, but infections have been reported in other countries as well. The malware deploys PowerShell and Windows batch scripts to establish a backdoor and execute mining programs like PhoenixMiner and lolMiner. This form of cryptojacking involves illicitly mining cryptocurrencies without the user's knowledge or consent.
Hackers have been leveraging a Windows tool to distribute malware designed for cryptocurrency mining since November 2021, as outlined in an analysis conducted by Cisco's Talos Intelligence. The attacker takes advantage of Windows Advanced Installer, a software that assists developers in creating software installers, like Adobe Illustrator, to carry out malicious actions on compromised devices. A blog post published on September 7 reveals that the targeted software installers are primarily used for 3D modeling and graphic design purposes. Furthermore, the majority of these software installers are written in French. According to the analysis, this suggests that the victims are likely to be from various business sectors, including architecture, engineering, construction, manufacturing, and entertainment, in French-speaking countries. The campaign appears to primarily affect users in France and Switzerland, but there have been a few infections in other countries such as the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam, based on DNS request data transmitted to the attacker's command and control host. Talos' investigation recognizes a crypto mining campaign that employs malicious PowerShell and Windows batch scripts to execute commands and establish a backdoor on the victim's machine. Notably, PowerShell is known for operating in the system's memory rather than the hard drive, making it more challenging to detect an attack. Once the backdoor is successfully installed, the attacker deploys additional threats, including the Ethereum crypto-mining program PhoenixMiner, and lolMiner, which is a multi-coin mining threat. The execution of these malicious scripts utilizes Advanced Installer's Custom Action feature, which enables users to define custom installation tasks. The ultimate payloads consist of PhoenixMiner and lolMiner, both publicly available miners that rely on the GPU capabilities of computers. The use of cryptocurrency mining malware, known as cryptojacking, involves surreptitiously installing mining code on a device without the user's consent or knowledge to unlawfully mine cryptocurrencies. Common indications of mining malware operating on a device include overheating and decreased performance. Exploiting malware families to mine or steal cryptocurrencies is not a new technique. Former smartphone giant BlackBerry recently identified malware scripts actively targeting three sectors: financial services, healthcare, and government.
Published At
9/7/2023 8:59:52 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.