- This is a legitimate Windows tool for creating software packages2 called Advanced Installer.
- Also, this is the package that is being abused by some threat actors so that they can drop cryptocurrency-mining malware on infected machines.
Everyone should know that the attacker always employs advanced installers to package other legitimate software installers. These software installers include SketchUp Pro, Autodesk 3DS, Adobe Illustrator, and many more. Also, the nature of the applications always indicates that many victims are likely to span architecture, engineering, construction, and many more.
Reason Behind Cybercriminals Weaponizing Legitimate Advanced Installer Tools in Crypto Mining Attacks
So, nowadays, there are attackers with different IP addresses based in France, Germany, and Luxembourg who have been using Advanced Installer, a legitimate Windows tool for creating software packages, to drop cryptocurrency mining malware on computers across several sectors.
Sometimes, people refer to this as a campaign in which many industries rely on computers with high graphics processing unit (GPU) power for daily operations, making them lucrative targets for cryptojacking.
Cisco’s analysis of the DNS request data sent to the attacker’s infrastructure shows that the victim’s footprint spans France and Switzerland. But later, it will be followed by sporadic infections in Canada, the US, Algeria, Germany, Sweden, Singapore, and many other countries.
Later, it is recorded that the attackers culminate in deploying an M3_Mini_Rat, which is nothing but a PowerShell script that likely acts as a backdoor to download and execute some additional threats. Also, multiple cryptocurrency-mining malware families exist, such as PhoenixMiner and lolMiner.
Also, for the initial access vector, it was suspected that search engine optimization (SEO) poisoning techniques might have been employed to deliver the rigged software installers to some of their victim’s machines.
One also needs to ensure that after the installer is launched, it will automatically activate a multi-stage attack chain, which drops the M3_Mini_Rat client stub and the miner binaries.
Moreover, the trojan is also designed to contact a remote server, though it is currently unresponsive. Sometimes, it also makes it difficult to determine the exact nature of the malware, which may have been distributed throughout the whole process.
Also, if talked of another case of legitimate tool abuse, Check Point is the warning of a new phishing attack that sometimes leverages Google Looker Studio to create bogus cryptocurrency sites to sidestep protections.
Once, a researcher said that all the hackers were utilizing it to create fake crypto pages designed to steal money and credentials. Also, this is a long way of saying that many hackers are leveraging Google’s authority. An email security service is also one that looks at all these factors along with having a good deal of confidence.
Last but not least, cryptocurrency mining is especially popular on machines with high-end GPUs, and it can also be lucrative, along with some malware, which can often run stealthily in the background. Sometimes, this will let the malicious activity persist longer and potentially go unnoticed by the users.