Attackers Using Legitimate Windows Tool for Cryptocurrency Mining Malware

Introduction

Attackers with IP addresses based in France, Luxembourg, and Germany have been utilizing Advanced Installer, a legitimate Windows tool, to create software packages that drop cryptocurrency mining malware on computers across several sectors.

Payloads and Threats

In a blog post on September 7, Cisco Talos researchers revealed that the payloads included the M3_Mini_RAT client stub. This remote access trojan allows the attackers to establish a backdoor and download and execute additional threats, such as the Ethereum cryptocurrency mining malware PhoenixMiner and IOIMiner, a multi-coin mining threat.

Targeted Verticals

The campaign primarily targets verticals that heavily rely on 3D modeling and graphic design. These sectors use computers with high GPU specifications and powerful graphics cards, which are useful for generating cryptocurrency.

Advanced Installer and Malicious Scripts

The attackers used Advanced Installer to package legitimate software installers like Adobe Illustrator and Autodesk 3ds Max with malicious scripts. They leveraged the Custom Action feature in the Windows tool to make the software installers execute the malicious scripts on computers in the architecture, engineering, construction, manufacturing, and engineering sectors.

Geographical Targets

The attacks predominantly target users in France and Switzerland, with a few infections in other areas including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. Most of the software installers used in this campaign are written in French, indicating a focus on French-speaking users.

Impact on Organizations

Long-running campaigns like this can have a lasting impact on organizations. Once attackers gain deep access to a network, they can gather and exfiltrate confidential data and plant logic bombs that could lead to ransomware attacks. Additionally, the draw on powerful GPU systems can slow work output, shorten hardware lifespan, and increase power usage.

Importance of Collaboration

Operations and security teams need to work together across their traditional silos to detect and prevent such attacks. Traditional security tools may not be able to detect these stealth attacks, so operational tools like performance monitoring should be tuned to observe and alert on anomalous behavior.

Indirect Revenue Generation

Threat actors choose their targets based on various motivations and methods. In this case, the attackers have chosen an indirect method to generate revenue through cryptomining by targeting users of specific software installers, especially those for 3D modeling and graphic design.

Comparison with Banks

Guenther from Critical Start explains that breaking into a bank’s systems directly is challenging and carries a high risk of detection. On the other hand, individual users or businesses in fields like 3D modeling or graphic design may not have stringent cybersecurity measures, making them easier targets for cryptomining operations.

Stealthy Malware and Distribution Methods

Cryptocurrency mining malware can run stealthily in the background, consuming only a fraction of available resources. This allows the malicious activity to persist longer without being noticed. Trojanizing popular software installers provides threat actors with an easier distribution method, and leveraging tactics like search engine optimization poisoning can lead to a higher rate of downloads and subsequent infections.