Hackers have been using a Windows tool to drop cryptocurrency-mining malware since November 2021, according to an analysis from Cisco’s Talos Intelligence. The attacker exploits Windows Advanced Installer — an application that helps developers package other software installers, such as Adobe Illustrator — to execute malicious scripts on infected machines.
According to a Sept. 7 blog post, the software installers affected by the attack are mainly used for 3D modeling and graphic design. Additionally, most of the software installers used in the malware campaign are written in French. The findings suggest that the “victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries,” explains the analysis.
The attacks predominantly affect users in France and Switzerland, with a few infections in other countries, including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, the post notes based on DNS request data sent to the attacker’s command and control (C2) host.
The illicit crypto mining campaign identified by Talos involves the deployment of malicious PowerShell and Windows batch scripts to execute commands and establish a backdoor in the victim’s machine. PowerShell, specifically, is well-known for running in the memory of the system instead of the hard drive, making it harder to identify an attack.
Once the backdoor is installed, the attacker executes additional threats, such as the Ethereum crypto-mining program PhoenixMiner, and lolMiner, a multi-coin mining threat.
“These malicious scripts are executed using Advanced Installer’s Custom Action feature, which allows users to predefine custom installation tasks. The final payloads are PhoenixMiner and lolMiner, publicly available miners relying on computers’ GPU capabilities”
The use of crypto mining malware is known as cryptojacking, and involves installing a crypto mining code on a device without the user’s knowledge or permission in order to illegally mine cryptocurrencies. Signs that mining malware may be running in a machine include overheating and poorly performing devices.
Using malware families to hijack devices to mine or steal cryptocurrencies isn’t a new practice. Former smartphone giant BlackBerry recently identified malware scripts actively targeting at least three sectors, including financial services, healthcare and government.