Hackers have been employing a nefarious Windows tool for cryptocurrency mining malware distribution since November 2021, as uncovered in an analysis by Cisco’s Talos Intelligence. In this audacious assault, the attacker capitalizes on Windows Advanced Installer, a tool often used by developers to bundle various software installers, including applications like Adobe Illustrator. Through this method, they unleash their malevolent scripts onto compromised devices.
The Malicious Deployment Strategy
As detailed in a blog post dated September 7, it was revealed that the primary targets of this malware campaign were software installers predominantly employed in the domains of 3D modeling and graphic design. Adding a twist to the plot, the majority of these tainted installers were found to be written in the French language. This intriguing discovery led the analysis to speculate that the victims likely span across diverse business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French-speaking regions.
The impact of these attacks appears most pronounced in France and Switzerland, with a smattering of infections detected in other global locations, including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. These insights were gleaned from DNS request data directed towards the attacker’s command and control (C2) host.
The illicit cryptocurrency mining scheme, meticulously dissected by Talos, hinges on deploying malicious PowerShell and Windows batch scripts to execute commands and establish a covert entry point within the victim’s machine. Notably, PowerShell is notorious for operating in a system’s memory rather than on the hard drive, rendering it exceptionally challenging to detect.
The attacker’s repertoire goes further, as they leverage this backdoor to execute additional threats. This includes deploying PhoenixMiner, a program for mining Ethereum, and lolMiner, a versatile, multi-coin mining menace.
“These malevolent scripts find their execution ground within Advanced Installer’s Custom Action feature, an avenue allowing users to define custom installation tasks. The final payloads comprise PhoenixMiner and lolMiner, publicly available mining tools harnessing the computational might of a device’s GPU,” explains the Talos report.
The Cryptocurrency Mining Arsenal
Crypto mining malware, often dubbed cryptojacking, entails surreptitiously implanting crypto mining code on a device without the user’s consent or awareness, effectively hijacking computing resources to illicitly mine cryptocurrencies. Telltale signs of such malicious activity may include devices overheating and experiencing subpar performance.
This malevolent utilization of malware to co-opt devices for mining or illicit cryptocurrency acquisition is far from a novel practice. Recently, the former smartphone giant, BlackBerry, unmasked malware scripts actively targeting at least three critical sectors: financial services, healthcare, and government.
Amidst the growing concerns surrounding such cyber threats, questions arise about the “moral responsibility” and the potential role of blockchain technology in enhancing trust and security within the realm of Artificial Intelligence (AI).