BleepingComputer reports that more than 50 websites masquerading as the MSI Afterburner GPU utility have been targeting power users and gamers using Windows devices with cryptocurrency miners and the RedLine information-stealing malware.
While several of the domains used in the campaign hinted at a connection with MSI, some did not and were likely promoted through social media posts, forums, and direct messages, according to a report from Cyble.
Execution of the fake MSI Afterburner setup file downloaded from the sites would prompt the installation of a legitimate Afterburner program along with an XMR miner and RedLine. Cryptomining only occurs an hour after the CPU has idled, with mining activity paused with the "-cinit-stealth-targets" argument, which is also used to delete GPU memory upon the launch of "stealth programs," including antivirus systems, process monitors, and hardware resource viewers.
Meanwhile, passwords, browser data, cookies, and cryptocurrency wallets are being exfiltrated by RedLine. Only three of 56 security products were able to detect the malicious setup file, while only two of 67 were able to identify the executable launching the miner, said VirusTotal.