Cyber Attackers Targeting Creative Professionals
Cyber attackers are targeting professionals in the creative industry with a new and concerning campaign. These attackers are using a clever technique to hide their malicious software, disguising it as a legitimate Windows installer called Advanced Installer. By doing this, they take advantage of the powerful computers commonly used by creative professionals for cryptocurrency mining. This campaign has been active since November 2021 and shows the attackers’ ability to avoid detection while maximizing their profits.
To infiltrate their victims’ systems, the attackers use two stages of attack. In the first stage, users are tricked into clicking on seemingly legitimate software installers that actually contain harmful scripts. By manipulating Advanced Installer’s Custom Action feature, the attackers run the malicious batch file, which installs the M3_Mini_RAT backdoor. This remote administration tool allows the attackers to access sensitive information through system reconnaissance.
In the second attack stage, the attackers once again exploit Advanced Installer’s Custom Actions feature. This time, they use malicious batch scripts to install PhoenixMiner and lolMiner, which are well-known cryptocurrency mining software. By using the powerful GPU specifications and graphics cards commonly found in the creative industry, the attackers aim to generate cryptocurrencies like Ethereum for their own financial gain.
The attackers may have used search engine optimization (SEO) poisoning to deliver their malware. By making sure their malicious versions of popular software, like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, ranked high in search engine results, they increased the chances of unknowing victims downloading and installing infected software, unknowingly giving the attackers access to their systems.
It’s important to note that most of the campaign’s software installers were written in French, suggesting a focus on French-speaking regions. However, the attackers didn’t limit their activities to just France and Switzerland. Victims from the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam also fell victim to their schemes, showing the global reach and impact of this campaign.
The attackers used various malicious payloads, including the M3_Mini_RAT backdoor, PhoenixMiner for Ethereum mining, and lolMiner for multi-coin mining. These payloads, combined with M3_Mini_RAT’s ability to download and execute other files, increased the attackers’ chances of deploying additional malicious software and further compromising victims’ systems.
What sets this campaign apart from other cryptocurrency mining attacks is the use of PhoenixMiner, which can be intentionally installed by users. This intentional installation makes it harder to detect the presence of malware, adding an extra layer of evasion. Additionally, the campaign’s shift from targeting gamers to professionals in the creative industry shows the attackers’ flexibility and strategic thinking.
This Advanced Installer campaign has exposed vulnerabilities in the software supply chain, as legitimate installers were used to distribute malware. This emphasizes the need for enhanced security measures and caution, even when downloading software from trusted sources.
As the campaign continues, it serves as a reminder that cyber threats are always evolving, with attackers constantly coming up with new methods to exploit unsuspecting victims. Individuals and organizations, especially those in the targeted sectors, must stay vigilant and implement strong cybersecurity measures to protect their valuable data and systems.
In conclusion, the campaign targeting creative professionals with Advanced Installer malware highlights the increasing sophistication of cybercriminals. By using legitimate software installers, the attackers have successfully compromised systems and used high-performance computers for cryptocurrency mining. This emphasizes the importance of cybersecurity and the need for proactive measures to mitigate these threats. The creative industry, in particular, needs to be alert and take proactive steps to protect their digital assets and infrastructure.