Cyber attackers have been running a cryptocurrency-mining campaign aimed at 3D modelers and graphic designers since November 2021. Their method involves using modified versions of legitimate Windows installer tools, specifically Advanced Installer, to conceal malware within software installers commonly used by creative professionals.
The attackers exploit Advanced Installer’s “Custom Action” feature to execute malicious scripts that deliver various payloads, including the M3_Mini_Rat client stub backdoor, the Ethereum cryptomining malware PhoenixMiner, and the multi-coin mining threat lolMiner. While most victims are in France and Switzerland, the campaign has also targeted individuals and organizations in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
Industries such as architecture, engineering, construction, manufacturing, and entertainment are among those affected, as they often employ professionals with high GPU specifications and powerful graphics cards, making them attractive targets for crypto mining.
Cisco Talos’ report outlines two attack methods employed by the attackers. The first method involves bundling a malicious script with legitimate software installers, using Advanced Installer’s Custom Action feature to establish a backdoor and configure the task scheduler on the victim’s machine. The second method also utilizes Advanced Installer and Custom Actions to drop malicious batch scripts, leading to the installation of PowerShell loaders that execute malicious payloads, including PhoenixMiner and lolMiner.
What sets this campaign apart is the use of PhoenixMiner, which can be intentionally installed by users, making it harder to detect. The attackers’ use of lolMiner enables them to mine multiple cryptocurrencies simultaneously, increasing their potential financial gains. Additionally, the deployment of the M3_Mini_RAT, with its remote administration capabilities, provides insight into victims’ environments and hints at future attacks, making this campaign particularly concerning.
