A cryptocurrency-mining campaign that has been ongoing since November 2021 is specifically targeting 3D modelers and graphic designers, according to a report by Cisco Talos’ Threat Researcher Chetan Raghuprasad. Attackers are using a legitimate Windows installer tool called Advanced Installer to hide malware in software packages commonly used by creative professionals.
In this campaign, attackers are exploiting the Custom Action feature of Advanced Installer to execute malicious scripts. These scripts drop various payloads, including the M3_Mini_Rat client stub backdoor, Ethereum cryptomining malware PhoenixMiner, and multi-coin mining threat lolMiner. The majority of the campaign’s software installers are written in French, suggesting that most of the victims are in France and Switzerland. However, there have also been victims in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
The targeted organizations are typically those that employ professionals in 3D modeling and graphic design, such as architecture, engineering, construction, manufacturing, and entertainment sectors. The attackers likely chose these sectors because they often use computers with high GPU specifications and powerful graphics cards, which are ideal for cryptocurrency generation.
The initial attack method for delivering the weaponized software installers to infected machines could not be determined by Cisco Talos. However, they suspect that the attackers may have used search engine optimization (SEO) poisoning in previous instances. Once delivered, the attackers utilize two multi-stage attack methods to load malware onto the victim’s machine.
The first attack method involves installing the M3_Mini_Rat client stub, which establishes a backdoor on the victim’s machine. The second attack method introduces PhoenixMiner and lolMiner for cryptomining purposes. The attackers bundle a malicious script with a legitimate software installer using Advanced Installer, tricking the victim into executing the script. This script leverages the Custom Action feature to configure the task scheduler on the victim’s machine. Additionally, a malicious PowerShell loader script and an encrypted file, the M3_Mini_RAT client stub, are dropped. The original batch file creates a task that runs every minute, executing the malicious PowerShell loader script and generating the M3_Mini_Rat client stub in the victim’s machine memory. However, during the observed attack, the command-and-control (C2) of the attackers was unresponsive, so no cryptomining payloads were dropped.
The second attack method also exploits Advanced Installer’s Custom Actions feature, dropping malicious batch scripts that download PowerShell loaders for executing malicious payloads. In this attack vector, researchers were able to observe the launch of PhoenixMiner and lolMiner from PowerShell.
There are several unique aspects to this cryptocurrency-mining campaign. The use of PhoenixMiner presents a distinct evasion technique because the payload can also be intentionally installed by legitimate users. This poses challenges for defense systems in identifying and classifying the attack unless other observables within the attack chain are considered. The inclusion of lolMiner also increases the attackers’ potential financial gains since it allows them to mine multiple cryptocurrencies simultaneously. Moreover, the utilization of the M3_Mini_RAT, which has remote administration capabilities focused on system reconnaissance, provides the attackers with valuable insight into the victim’s environment, potentially leading to future attacks.
To defend against such attacks, organizations need to remain vigilant. The lure of profiting from cryptocurrency has led to a surge in these types of attacks. In the Advanced Installer campaign, attackers have shifted their focus away from their usual targets, such as gamers, and are now using legitimate installers in a novel way to achieve their goals. A defense-in-depth approach is crucial, including measures like endpoint security to mitigate the risk of malicious installers. Users should also exercise caution when downloading software installers, ensuring they only download them from trusted sources. It is advisable to use legitimate copies of applications rather than relying on web searches, which may lead to malicious ads or downloads. By staying vigilant and implementing robust security measures, organizations can better protect themselves from cryptocurrency-mining campaigns and other cyber threats.