Since November 2021, a legitimate software packaging tool known as Advanced Installer has been increasingly favored by attackers. It has been exploited to implant cryptocurrency mining-related malware on compromised computers.
Legitimate Tools, Sinister Exploits: Attackers Ride the Advanced Installer Wave
According to Cisco Talos researcher Chetan Raghuprasad, the attacker leverages Advanced Installer to bundle legitimate installers like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro with malicious scripts.
At the core of this attack lies the Custom Actions feature within Advanced Installer, enabling the automation of processes during program installation. This tool triggers the PowerShell script M3_Mini_Rat, functioning as a backdoor, granting remote system access.
Following the activation of the backdoor, the victim’s computer is infiltrated by cryptocurrency miners PhoenixMiner and lolMiner. PhoenixMiner specializes in Ethereum mining, widely used in decentralized applications, while lolMiner stands out for its ability to mine two cryptocurrencies concurrently, significantly amplifying the attack’s impact.
Based on the nature of the infected applications, it appears that the victims predominantly operate within sectors such as architecture, engineering, construction, and entertainment. Additionally, these program installers are predominantly in French, suggesting a focus on French-speaking users.
Analysis of DNS queries directed to the hackers’ servers reveals that the footprint of victims primarily spans France and Switzerland, with sporadic infections in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
These attacks likely employed tactics like “SEO poisoning” or manipulating search engine rankings to boost the visibility of their installers in search results.
Another illustration of exploiting legitimate tools is evident in a recent investigation by cybersecurity firm Check Point. Attackers are utilizing Google Looker Studio, a data visualization application, to craft fraudulent websites aimed at pilfering cryptocurrencies. This approach allows them to circumvent traditional defense mechanisms.
In essence, hackers capitalize on Google’s credibility to deceive email security services into believing that their messages are not phishing attempts and are genuinely from Google.
The trojan in use is designed to communicate with a remote server. However, thus far, the server has remained unresponsive, making it challenging to ascertain the precise types of malware it might be distributing.