A legitimate Windows tool used to create software packages, called Advanced Installer, has been abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021.
“The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts,” Cisco Talos researcher Chetan Raghuprasad said in a technical report.
The nature of the Trojanized applications indicates that victims likely include the architecture, engineering, construction, manufacturing, and entertainment sectors. Software installers predominantly use the French language, a sign that French-speaking users are becoming alienated.
The campaign is strategic in that these industries rely on computers with high graphics processing unit (GPU) power for their daily operations, making them attractive targets for cryptojacking.
Cisco’s analysis of the DNS request data sent to the attacker’s infrastructure shows that the victimology footprint spans France and Switzerland, followed by sporadic infections in the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
The attacks culminated in the deployment of M3_Mini_Rat, a PowerShell script that likely acted as a backdoor to download and execute additional threats, as well as several cryptocurrency-mining malware families such as PhoenixMiner and LolMiner.
For the initial access vector, it is suspected that search engine optimization (SEO) poisoning techniques may have been employed to deliver rigged software installers to victims’ machines.
The installer, once launched, activates a multi-stage attack chain that removes the M3_Mini_Rat client stub and miner binaries.
“The M3_Mini_Rat client is a PowerShell script with remote administration capabilities that primarily focuses on performing system reconnaissance and downloading and executing other malicious binaries,” Raghuprasad said.
The Trojan is designed to contact a remote server, although it is currently unresponsive, making it difficult to determine the exact nature of the malware distributed through this process.
Two other malicious payloads are used to illegally mine cryptocurrencies using the machine’s GPU resources. PhoenixMiner is an Ethereum cryptocurrency-mining malware, while LolMiner is an open-source mining software that can be used to mine two virtual currencies at the same time.
In another case of misuse of a legitimate tool, Check Point is warning of a new type of phishing attack that takes advantage of Google Looker Studio to create fake cryptocurrency phishing sites in an attempt to bypass security.
Security researcher Jeremy Fuchs said, “Hackers are using it to create fake crypto pages that are designed to steal money and credentials.”
“This is a long way of saying that hackers are taking advantage of Google’s authority. An email protection service will look at all of these factors and be fairly confident that it’s not a phishing email, and that it comes from Google.”