Cisco Talos researchers have uncovered an ongoing cybercriminal campaign involving the distribution of installers for popular 3D modeling and graphic design software like Autodesk 3ds Max, Adobe Illustrator, and SketchUp Pro. These malicious installers employ Black Hat SEO techniques to reach their targets.
These seemingly legitimate software installers conceal malicious scripts that, once executed, inject remote access trojans (RATs) and cryptocurrency miners into the systems of unsuspecting technicians.
The attackers deliberately target professionals in fields such as graphic design, animation, and video editing. These individuals often use high-performance computers with robust graphics cards capable of achieving higher hash rates for cryptocurrency mining, making their systems more enticing for crypto-mining operations.
Crypto Malware Strikes Globally: Advanced Installer Abused
According to Cisco Talos experts, this malware campaign has been active since November 2021. While the majority of victims are in France and Switzerland, notable infections have also occurred in the US, Canada, Germany, Algeria, and Singapore.
Analysts have identified two distinct attack methods within this campaign. In both scenarios, attackers exploit the legitimate Windows tool “Advanced Installer” to create Windows installation files bundled with malicious PowerShell and batch scripts.
These two attack methods diverge in terms of script complexity, the intricacy of the infection chain, and the final payloads deployed on compromised devices.
The first method employs a batch script (core.bat) to establish a recurring task that runs a PowerShell script decrypting a backdoor named “M3_Mini_Rat.” This backdoor grants attackers remote access, enabling them to conduct system reconnaissance and introduce additional payloads to the compromised system.
The second method results in the installation of either the PhoenixMiner or lolMiner cryptocurrency miner. PhoenixMiner specializes in Ethash-based cryptocurrencies, while lolMiner supports various protocols.
Both miners deliberately utilize only 75% of the GPU’s capacity and pause mining activities when the graphics card approaches a temperature of 70 degrees Celsius. This cautious approach prevents noticeable drops in system performance, overheating, and increased fan activity that might tip off the victim to the presence of a cryptominer.
To fortify defenses against such attacks, experts recommend exclusively downloading software from official or trusted sources, employing robust antivirus solutions, and regularly updating both the operating system and installed applications. Frequent updates often include patches for vulnerabilities that could be exploited by hackers.
Adhering to these guidelines can substantially reduce the risk of falling prey to such cyber threats.