An analysis by Cisco Talos Intelligence has revealed that hackers have been employing Windows tools to distribute cryptocurrency mining malware since November 2021. The attackers utilized the Windows Advanced Installer, a program designed to assist developers in packaging various software installers like Adobe Illustrator, as a means to execute malicious scripts on compromised computers.
As detailed in a blog post on September 7th, the software installers affected by these attacks are primarily related to 3D modeling and graphic design. Furthermore, it was noted that most of the software installers used in these malware campaigns were written in the French language. This observation suggests that the victims likely belonged to various industry sectors, including architecture, engineering, construction, manufacturing, and entertainment, predominantly in French-speaking regions.
The impact of these attacks was most pronounced in France and Switzerland, with some infections reported in other countries such as the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. This information was gathered based on DNS request data sent to the attacker's command and control host.
The illicit cryptocurrency mining activity discovered by Talos involved the deployment of malicious PowerShell and Windows batch scripts to execute commands and establish backdoors within victims' computers. Notably, PowerShell operates in system memory rather than on the hard drive, making it more challenging to detect these types of attacks. Once the backdoor is established, the attackers proceed to launch other threats, including the Ethereum cryptominer PhoenixMiner and the multi-coin mining threat lolMiner.
This form of attack, known as cryptojacking, involves surreptitiously installing cryptocurrency mining code on a device without the user's knowledge or consent, essentially using the victim's computing resources for illicit cryptocurrency mining. Indications that mining malware may be active on a device include symptoms such as overheating and degraded performance.
The use of various malware families to hijack devices for cryptocurrency mining or theft is not a new phenomenon. Recently, BlackBerry, formerly a leading smartphone manufacturer, uncovered malware scripts actively targeting multiple sectors, including financial services, healthcare, and government.
