Attackers Leverage Windows Advanced Installer to Drop Cryptocurrency Malware

Cyber Security Threat Summary:
Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat. The primary targets of this campaign are industries heavily reliant on 3D modeling and graphic design, as they possess computers with powerful GPUs and graphics cards, ideal for cryptocurrency generation. The attackers employ Advanced Installer to bundle legitimate software installers like Adobe Illustrator and Autodesk 3ds Max with malicious scripts. They then exploit the Custom Action feature in the Windows tool to execute these scripts on computers within sectors such as architecture, engineering, construction, manufacturing, and engineering. The campaign primarily focuses on users in France and Switzerland, with some infections detected in the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. Notably, most of the software installers used in this campaign are in French, aligning with the observation that it predominantly targets French-speaking users.

Security Officer Comments:
Long-lasting stealthy cyber campaigns, as highlighted by Shawn Surber of Tanium, can be challenging to detect but pose serious threats. Attackers who infiltrate deeply into networks can do more than just hijack GPU resources; they can steal data and set up malicious logic bombs, potentially turning their covert attack into disruptive ransomware. Even without such actions, the strain on powerful GPUs can have significant financial and operational consequences, including reduced productivity and increased power consumption.

These attacks underscore the need for collaboration between operational and security teams, as traditional security tools may struggle to detect such intrusions. Performance monitoring tools should be finely tuned to spot unusual activities.

Suggested Correction(s):
Researchers at Cisco Talos have published the following IOC’s that can be used for detection: