September 7, 2023.
Since at least November 2021, cybercriminals have been misusing Advanced Installer, a legitimate Windows tool designed for software packaging, to distribute cryptocurrency-mining malware on compromised devices. In this scheme, the attacker leverages Advanced Installer to bundle authentic software installers like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro with harmful scripts. By utilizing Advanced Installer’s Custom Actions feature, the attacker ensures the execution of these malicious scripts during the installation process. The campaign specifically targets software installers associated with 3-D modeling and graphic design, predominantly in the French language. This linguistic focus suggests victims across diverse industries, including architecture, engineering, construction, manufacturing, and entertainment, particularly in French language-dominant regions. The malicious payloads encompass the M3_Mini_Rat client stub for creating a backdoor, the Ethereum cryptocurrency-mining malware PhoenixMiner, and lolMiner, a multi-coin mining threat. The choice of these software installers is likely driven by their demand for high Graphics Processing Unit (GPU) power, which adversaries exploit for cryptocurrency mining purposes.
Image courtesy of TALOS