• Fri. May 24th, 2024

Advanced Installer’s Crypto Twist

Avatar photo

ByMarcel Bich

Oct 15, 2023
Marcel Bich
Latest posts by Marcel Bich (see all)

Since November 2021, a legitimate software packaging tool known as Advanced Installer has been increasingly favored by attackers. It has been exploited to implant cryptocurrency mining-related malware on compromised computers.

Legitimate Tools, Sinister Exploits: Attackers Ride the Advanced Installer Wave

According to Cisco Talos researcher Chetan Raghuprasad, the attacker leverages Advanced Installer to bundle legitimate installers like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro with malicious scripts.

At the core of this attack lies the Custom Actions feature within Advanced Installer, enabling the automation of processes during program installation. This tool triggers the PowerShell script M3_Mini_Rat, functioning as a backdoor, granting remote system access.

Following the activation of the backdoor, the victim’s computer is infiltrated by cryptocurrency miners PhoenixMiner and lolMiner. PhoenixMiner specializes in Ethereum mining, widely used in decentralized applications, while lolMiner stands out for its ability to mine two cryptocurrencies concurrently, significantly amplifying the attack’s impact.

Based on the nature of the infected applications, it appears that the victims predominantly operate within sectors such as architecture, engineering, construction, and entertainment. Additionally, these program installers are predominantly in French, suggesting a focus on French-speaking users.

Analysis of DNS queries directed to the hackers’ servers reveals that the footprint of victims primarily spans France and Switzerland, with sporadic infections in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.

These attacks likely employed tactics like “SEO poisoning” or manipulating search engine rankings to boost the visibility of their installers in search results.

Another illustration of exploiting legitimate tools is evident in a recent investigation by cybersecurity firm Check Point. Attackers are utilizing Google Looker Studio, a data visualization application, to craft fraudulent websites aimed at pilfering cryptocurrencies. This approach allows them to circumvent traditional defense mechanisms.

In essence, hackers capitalize on Google’s credibility to deceive email security services into believing that their messages are not phishing attempts and are genuinely from Google.

The trojan in use is designed to communicate with a remote server. However, thus far, the server has remained unresponsive, making it challenging to ascertain the precise types of malware it might be distributing.

Avatar photo

Marcel Bich

Marcel ‘s passion for the world of cryptocurrencies and his comprehensive knowledge of blockchain technology make him an invaluable asset to our team. He stays updated on the latest trends, regulations, and emerging technologies in the crypto space, ensuring that our audience receives accurate and up-to-date information.