Weaponized Windows Installers Target Graphic Designers in Crypto Heist

Attackers are targeting 3D modelers and graphic designers with malicious versions of a legitimate Windows installer tool in a cryptocurrency-mining campaign that's been ongoing since at least November 2021.

The campaign abuses Advanced Installer, a tool for creating software packages, to hide malware in legitimate installers for software used by creative professionals — such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, according to a report by Cisco Talos' Threat Researcher Chetan Raghuprasad published this week.

Attackers execute malicious scripts through a feature of the installer called Custom Action, dropping several payloads — including the M3_Mini_Rat client stub backdoor, Ethereum cryptomining malware PhoenixMiner, and multi-coin mining threat lolMiner.

Most of the campaign's software installers were written in French, which makes sense as most of the victims are in France and Switzerland, according to the post. However, the campaign also targeted victims in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.

Organizations affected are those that typically employ professionals working in 3D modeling and graphic design, including verticals such as architecture, engineering, construction, manufacturing, and entertainment.

Attackers likely targeted these sectors because they use computers with high GPU specifications and powerful graphics cards, which are useful for generating cryptocurrency, Raghuprasad wrote.

Two Attack Methods

Cisco Talos could not determine the initial attack method for how the weaponized software installers were delivered to infected machines. "In the past, we have commonly seen such trojanized installers delivered using the search engine optimization (SEO) poisoning," Raghuprasad acknowledged.

Once delivered, attackers used two multi-stage attack methods for loading malware. The first attack method installs the M3_Mini_Rat client stub to establish a backdoor to the victim's machine, while the second implants PhoenixMiner and lolMiner for cryptomining.

The first attack sequence starts when a victim clicks on a legitimate software installer, which the attacker bundled with a malicious script using Advanced Installer. The attack abuses Advanced Installer's Custom Action feature to execute the dropped malicious batch file, which contains a command to configure the task scheduler in the victim's machine.

The attack vector also drops a malicious PowerShell loader script and an encrypted file, the M3_Mini_RAT client stub. The task created by the original batch file runs every minute to execute the malicious PowerShell loader script, which generates the M3_Mini_Rat client stub and runs it in the victim's machine memory.

M3_Mini_Rat then attempts to connect to the attackers' command-and-control (C2); however, the C2 was unresponsive in the attack that researchers observed, so they did not see any cryptomining payloads dropped.

The second attack method also abuses Advanced Installer and its Custom Actions feature to drop malicious batch scripts, proceeding with an attack that deviates slightly from the first attack but ultimately downloads PowerShell loaders for executing malicious payloads. The researchers managed to observe the launch of the PhoenixMiner and lolMiner from PowerShell in this attack vector.

What's Different

Several aspects of the campaign are unique in terms of other cryptomining attacks, Raghuprasad tells Dark Reading. Attackers' use of PhoenixMiner — a payload that takes over a system's GPU to mine crypto — creates a distinct level of evasion because the miner also can be intentionally installed by the users.

"This poses challenges for the defense systems to classify [the attack] unless they consider other observables of the attack chain," Raghuprasad says.

Attackers also have increased their likelihood of financial gain through the use of lolMiner, which gives them the option to mine several cryptocurrencies at the same time, he says.

Further, the employment of the M3_Mini_RAT, which has remote administration capabilities that mainly focus on performing system reconnaissance, provides valuable insight into the victim's environment and could portend future attacks.

"Its capability of downloading and executing other binary increases the likelihood of follow-on payloads, [such as] other malicious executables or arbitrary commands," Raghuprasad says.

Takeaways and Defense Strategies

With a recent report finding that the lure of cashing in on cryptocurrency sent these types of attacks skyrocketing last year, it's important that organizations remain vigilante to current attack targets and methods, Raghuprasad says.

The Advanced Installer campaign showed attackers pivoting from their typical targets — namely, gamers — as well as a novel use of legitimate installers to achieve their ultimate goal, he says.

"Organizations and users should be aware that threat actors are constantly looking for new avenues to compromise the victims and exploit them," he says. "This is why you want a defense-in-depth approach and need to run things like endpoint security to try and avoid these types of malicious installers."

In fact, users should be vigilant in general while downloading the software installers, making a point to download them only from a legitimate and trusted source, Raghuprasad says.

It's also important that organizations use legitimate copies of applications and not just conduct Web searches for them and download the top result, which could be a malicious ad, he adds.