Cryptominers Spread Through Advanced Installer

Category: Threat Actor Activity | Industries: Architecture, Construction, Engineering, Entertainment, Manufacturing, Marketing | Source: Cisco Talos

Since November 2021, cybercriminals have exploited Advanced Installer, a legitimate Windows tool, to distribute cryptocurrency-mining malware, according to a report by Cisco Talos. In this campaign, attackers bundle legitimate software installers used in 3-D modeling and graphic design, such as Adobe Illustrator and Autodesk 3ds Max, with malicious scripts. Cisco Talos suggests that cybercriminals target these specific software installers due to their high Graphics Processing Unit (GPU) power requirements, which enable the adversaries to leverage for crypto-mining. These scripts leverage Advanced Installer's Custom Actions feature to deliver payloads like the M3_Mini_Rat client stub, PhoenixMiner, and lolMiner.

In terms of victimology, it appears that entities located in France and Switzerland are the primary focus of the campaign. This is supported by the fact that the installers are primarily written in the French language, although some infections have also been observed in the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. As far as business verticals, entities targeted include those in architecture, engineering, construction, manufacturing, and entertainment, where tasks requiring 3-D modeling and graphic design are common.

Cisco Talos' analysis outlines two attack methodologies used in this campaign: one for establishing a backdoor with M3_Mini_Rat and another for deploying PhoenixMiner and lolMiner. The initial stages of the two attacks are similar, leading with the execution of a malicious installer launching msiexec followed by the execution of batch and PowerShell scripts and the creation of a scheduled task for persistence. Further analysis with the attacker's command and control (C2) infrastructure used with the backdoor was halted due to the C2 being unavailable. Talos discovered mining for Ethereum coins started slowly between November and December 2021 but increased significantly starting in October 2022. Tallying the total from January 2023, "the adversaries generated more than 50 Ethereum Classic, and on July 9, 2023, alone mined more than 50 (the equivalent of about $800 USD based on current values)."