In an ongoing campaign since November 2021, cyber attackers have targeted professionals in graphic design, animation, and video editing. These individuals rely on high-performance computers with top-of-the-line graphics processing units (GPUs). Using a legitimate Windows tool called ‘Advanced Installer,’ these attackers have created a covert scheme to exploit the computational power of these machines for cryptocurrency mining, solely for their financial gain.
The main targets of this wave of cyber attacks are in France and Switzerland. However, infections have also been reported in other countries such as the United States, Canada, Germany, Algeria, and Singapore, showing the global reach and impact of this threat.
To compromise their victims, the cybercriminals have used two methods. The first method involves a batch script named “core.bat” which sets up a recurring task. This task runs a PowerShell script to decrypt the final payload, known as M3_Mini_Rat. Once decrypted, the attackers gain remote access, giving them full control over the compromised systems.
The second method used by the attackers drops two malicious scripts, “core.bat” and “win.bat,” which create scheduled tasks for running PowerShell scripts. These scripts deploy specific cryptominers, PhoenixMiner and lolMiner, to exploit the victims’ GPUs for cryptocurrency mining.
What sets this campaign apart is the use of lolMiner version 1.76, which allows simultaneous mining of two different cryptocurrencies. By mining multiple currencies at once, the attackers aim to maximize their profits.
To avoid detection, the threat actors use clever tactics. They limit the miners’ resources, configuring PhoenixMiner and lolMiner to use only 75% of the GPU power. Additionally, if the GPU temperature reaches 70 degrees Celsius, the mining process pauses, reducing the risk of detection.
The attackers lure their victims by distributing installers for popular 3D modeling and graphic design software, including Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro. However, unbeknownst to users, these seemingly harmless installers contain hidden malicious scripts that infect their computers with remote access trojans (RATs) and cryptomining payloads.
One of the powerful RAT tools used in this campaign is the M3_Mini_Rat payload, equipping the attackers with functions such as system reconnaissance, process management, file system exploration, command and control, file management, data transmission, special checks, and secure exit.
Both attack methods exploit the use of Advanced Installer, a legitimate tool commonly used to create installer files for Windows. However, in this case, the installers are packed with malicious PowerShell and batch scripts, adding sophistication to the attackers’ tactics and making it harder for victims to detect their malicious intent.
To help potential victims identify compromises, a comprehensive list of indicators of compromise for this campaign is available on a GitHub repository. This resource is valuable for organizations and individuals to proactively protect themselves against these attacks.
As the threat landscape continues to evolve, it is crucial for users to remain vigilant and implement strong security measures. Using up-to-date antivirus software, regularly patching and updating systems, and being cautious when downloading and installing software are essential steps to safeguard against these types of attacks.
Individuals in creative industries, like graphic designers, should be cautious when downloading software from unofficial sources. Verifying the authenticity of installers and regularly scanning for malware can effectively reduce the risk of falling victim to these stealthy campaigns.
By staying informed and taking necessary precautions, both individuals and organizations can protect themselves from the ever-present threat of cyber attacks, ensuring that their valuable computing resources are not hijacked for malicious purposes.