Cyber villains are purposefully looking for powerful video cards to increase their own profits.
Researchers from Cisco Talos found out that cybercriminals actively distribute installers of popular programs for 3D modeling and graphic design, such as Autodesk 3ds Max, Adobe Illustrator and SketchUp Pro, as the researchers suggest, using Black search engine optimization techniques (Black Hat SEO).
These installers contain hidden malicious scripts that infect specialists ' computers with Remote Access Trojans (RAT) and cryptominers.
Attackers focus on these specific targets, as graphic designers, animators, and video editors typically use computers with powerful graphics cards that support higher mining hashrates, making the crypto mining operation more profitable.
According to Cisco Talos experts, this malicious campaign continues from November 2021. Currently, most of the victims are in France and Switzerland, but there are also significant numbers of infections in the US, Canada, Germany, Algeria and Singapore.
Analysts observed two different attack methods used in this campaign. In both cases, the attackers use a legitimate Windows tool called "Advanced Installer" to create installation files for Windows packaged with malicious PowerShell and batch scripts.
The two attack methods differ in their specific scripts, the complexity of the infection chain, and the final payloads that end up on the compromised device.
The first method uses a batch script (core.bat) to set up a recurring task of running a PowerShell script that decrypts a backdoor called "M3_Mini_Rat". This backdoor provides attackers with remote access capabilities, allowing them to perform system intelligence and install additional payloads on the infected system.
The second method leads to the installation of the cryptominer PhoenixMiner or lolMiner. PhoenixMiner is an Ethash miner (ETH, ETC, Musicoin, EXP, UBQ, etc.), and lolMiner supports several protocols, including Etchash, Autolykos2, Beam, Grin, Ae, ALPH, Flux, Equihash, and others.
Both miners use only 75% of the GPU power and suspend their work when the video card reaches a temperature of 70 degrees Celsius. Thus, attackers exclude a noticeable drop in the performance of the infected system, its overheating and increased fan operation, which the victim can guess that a cryptominer is trapped in the system.
To avoid becoming a victim of such attacks, experts recommend downloading software exclusively from official or at least verified sources, using advanced antivirus solutions, and regularly updating the operating system and installed programs, since updates often include fixes for vulnerabilities that hackers can take advantage of.
Following these guidelines can significantly reduce the risk of becoming a victim of such cyber attacks.
Researchers from Cisco Talos found out that cybercriminals actively distribute installers of popular programs for 3D modeling and graphic design, such as Autodesk 3ds Max, Adobe Illustrator and SketchUp Pro, as the researchers suggest, using Black search engine optimization techniques (Black Hat SEO).
These installers contain hidden malicious scripts that infect specialists ' computers with Remote Access Trojans (RAT) and cryptominers.
Attackers focus on these specific targets, as graphic designers, animators, and video editors typically use computers with powerful graphics cards that support higher mining hashrates, making the crypto mining operation more profitable.
According to Cisco Talos experts, this malicious campaign continues from November 2021. Currently, most of the victims are in France and Switzerland, but there are also significant numbers of infections in the US, Canada, Germany, Algeria and Singapore.
Analysts observed two different attack methods used in this campaign. In both cases, the attackers use a legitimate Windows tool called "Advanced Installer" to create installation files for Windows packaged with malicious PowerShell and batch scripts.
The two attack methods differ in their specific scripts, the complexity of the infection chain, and the final payloads that end up on the compromised device.
The first method uses a batch script (core.bat) to set up a recurring task of running a PowerShell script that decrypts a backdoor called "M3_Mini_Rat". This backdoor provides attackers with remote access capabilities, allowing them to perform system intelligence and install additional payloads on the infected system.
The second method leads to the installation of the cryptominer PhoenixMiner or lolMiner. PhoenixMiner is an Ethash miner (ETH, ETC, Musicoin, EXP, UBQ, etc.), and lolMiner supports several protocols, including Etchash, Autolykos2, Beam, Grin, Ae, ALPH, Flux, Equihash, and others.
Both miners use only 75% of the GPU power and suspend their work when the video card reaches a temperature of 70 degrees Celsius. Thus, attackers exclude a noticeable drop in the performance of the infected system, its overheating and increased fan operation, which the victim can guess that a cryptominer is trapped in the system.
To avoid becoming a victim of such attacks, experts recommend downloading software exclusively from official or at least verified sources, using advanced antivirus solutions, and regularly updating the operating system and installed programs, since updates often include fixes for vulnerabilities that hackers can take advantage of.
Following these guidelines can significantly reduce the risk of becoming a victim of such cyber attacks.
