Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021.The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts.The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design, and most of them use the French language, indicating that the victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries.The payloads include the M3_Mini_Rat client stub — which allows the attacker to establish a backdoor and download and execute additional threats, the Ethereum cryptocurrency-mining malware PhoenixMiner, and lolMiner, a multi-coin mining threat.Cybercriminals are likely exploiting these particular software installers because of their need for high Graphics Processing Unit (GPU) power to function, which adversaries rely on to mine cryptocurrency.
Victimology
The attacks predominantly target users in France and Switzerland, with a few infections in other geographic areas, including the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, according to our analysis of the DNS request data sent to the attacker’s command and control (C2) host. Most of the software installers used in this campaign are written in French, supporting our observation that this campaign primarily targets French-speaking users.
The campaign likely affects business verticals such as architecture, engineering, construction, manufacturing and entertainment, as the attackers use software installers specifically created for 3-D modeling and graphic design. These industries are likely attractive targets for illicit cryptomining as they use computers with high GPU specifications and powe ..
Support the originator by clicking the read the rest link below.
