Discover how legitimate software is exploited for cryptocurrency mining. Insights on Advanced Installer crypto-mining malware and its impact on targeted industries.
Threat actors have been using Advanced Installer Crypto-Mining Malware, a legal Windows application for building software
packages, since at least November 2021 to install cryptocurrency-mining malware on affected
computers.
" The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe
Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer's
Custom Actions feature to make the software installers execute the malicious scripts," Cisco Talos
researcher Chetan Raghuprasad wrote in a technical report.
The victims most likely come from the architecture, engineering, building, manufacturing, and
entertainment industries, according to the nature of the trojanized programs. The majority of the
software installers are in French, which suggests that French-speaking customers are being picked
out.
This approach is tactical since these sectors are lucrative targets for cryptojacking because they
depend on computers with powerful graphics processing units (GPUs) for daily operations.
The victimology footprint of the attacker encompasses France and Switzerland, according to Cisco's
analysis of the DNS request data supplied to the attacker's infrastructure. France and Switzerland are
followed by occasional infections in the United States, Canada, Algeria, Sweden, Germany, Tunisia,
Madagascar, Singapore, and Vietnam.
The attacks culminated in the implementation of numerous cryptocurrency-mining malware families,
including lolMiner and PhoenixMiner, as well as an M3_Mini_Rat, a PowerShell script that probably
functions as a backdoor to download and execute further threats.
In terms of the first access vector, it's possible that SEO poisoning techniques were used to get the
rigged software installers onto the victims' computers.
When the installer is launched, a multi-stage attack chain that dumps the miner binaries and the
M3_Mini_Rat client stub is activated.
Since the trojan is currently inactive and unable to communicate with a remote server, it is
challenging to pinpoint the precise type of virus that may have been spread by this method.
Keywords: Advanced Installer crypto-mining malware, Targeted industries crypto-jacking attacks,
International cryptocurrency mining malware campaign
Also Read: Beware: Malicious Telegram Variants on Google Play