Malware, Threat Intelligence

Attackers leverage Windows Advanced Installer to drop cryptocurrency malware

cryptocurrency equipment mining

Attackers with IP addresses based in France, Luxembourg and Germany have been using Advanced Installer, a legitimate Windows tool, for creating software packages to drop cryptocurrency mining malware on computers across several sectors.

In a blog post Sept. 7, Cisco Talos researchers said the payloads included the M3_Mini_RAT client stub. Such a remote access trojan would let the attackers establish a backdoor and download and execute additional threats, such as the Ethereum cryptocurrency mining malware PhoenixMiner, and IOIMiner, a multi-coin mining threat.

The Cisco Talos researchers said the campaign targets verticals that are heavy users of 3D modeling and graphic design because they use computers with high GPU specifications and powerful graphics cards useful for generating cryptocurrency. The researchers said the attackers used Advanced Installer to package other legitimate software installers such as Adobe Illustrator and Autodesk 3ds Max with malicious scripts. They then leverage the Custom Action feature in the Windows tool to make the software installers execute the malicious scripts on computers in the architecture, engineering, construction, manufacturing and engineering sectors.

These attacks predominantly target users in France and Switzerland, the researchers said, with a few infections in other areas, including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. Most of the software installers used in this campaign are written in French, which supports the observation by Cisco Talos that the campaign primarily targets French-speaking users.

Long-running, persistent campaigns like this are subtle and difficult to detect, but can have a lasting impact on organizations, explained Shawn Surber, senior director of technical account management at Tanium. Surber said once an attacker gets this deep inside a network, they are often doing a lot more than just hijacking GPU cycles: they can gather and exfiltrate confidential data and plant logic bombs that could turn their stealth attack into a loud ransomware boom.

“Even if they don't, the draw on these powerful GPU systems can have a significant financial and operational effect by slowing work output, shortening the lifespan of expensive hardware, and significantly increasing power usage,” Surber said.

Such attacks are good examples of why operations and security teams need to work together across their traditional silos, he continued. "Once inside, this type of attack is virtually invisible to traditional security tools, so it's important that operational tools, like performance monitoring, be tuned to observe and alert on anomalous behavior like this.”

Callie Guenther, cyber threat research senior manager at Critical Start, added that threat actors have numerous motivations and methods for choosing their targets. Based on this blog, Guenther said the threat actors have chosen a rather indirect method to generate revenue via cryptomining by targeting users of specific software installers, especially those for 3D modeling and graphic design.

“Generally, banks by nature have some of the most robust cybersecurity defenses in place,” said Guenther. “Breaking directly into a bank's systems is a challenging endeavor that carries a high risk of detection. It requires specialized tools and methods, and the potential legal repercussions are significant.”

By contrast, Guenther said individual users or businesses, especially those in fields like 3D modeling or graphic design, might not always have stringent cybersecurity measures. Such machines are often equipped with powerful GPU resources vital for design work, but equally valuable for cryptomining operations.

“Cryptocurrency mining, especially on machines with high-end GPUs, can be lucrative, and the malware can often run stealthily in the background, consuming just a fraction of available resources,” said Guenther. “This lets the malicious activity persist longer, potentially going unnoticed by the users. Moreover, trojanizing popular software installers offers threat actors an easier distribution method. Leveraging tactics like search engine optimization poisoning can lead to a higher rate of downloads and subsequent infections. This method is less complex than the multifaceted techniques required to infiltrate a bank's defenses.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.