Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,493
- Points
- 113
Step-by-step instructions for turning someone else's PC into a cryptocurrency farm.
A legitimate tool for creating software packages called Advanced Installer continues to gain popularity among attackers. It is being exploited to install malware related to cryptocurrency mining on infected computers from November 2021.
"An attacker uses Advanced Installer to package other legitimate installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts." — explains Cisco Talos researcher Chetan Raghuprasad.
The key element of the attack is the Custom Actions function in Advanced Installer. It allows you to automate the processes when installing the program. The tool uses the PowerShell script M3_Mini_Rat, which acts as a backdoor, providing remote access to the system.
After activating the backdoor, the victim's computer installs the PhoenixMiner and lolMiner cryptocurrency miners. PhoenixMiner is engaged in mining Ethereum, which is popular for decentralized applications, and lolMiner is unique in that it can mine two cryptocurrencies simultaneously. This feature significantly increases the effectiveness of the attack.
After analyzing the nature of the infected applications, we can conclude that the victims probably work in the fields of architecture, engineering, construction, and entertainment. Software installers mostly use French, which means that French-speaking users are targeted.
Analysis of DNS queries sent to the hackers 'servers shows that the victims' footprint covers France and Switzerland, followed by isolated cases of infection in the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam.
Most likely, the attacks used the tactics of "SEO poisoning "or" poisoning " search engines in order to raise the rank of installers in search results.
Another example of exploiting legitimate funds is the attack scenario that the cybersecurity company Check Point recently studied. Attackers are using Google Looker Studio, a data visualization app, to create fake websites to steal cryptocurrencies. This algorithm allows you to bypass traditional security measures.
"In a nutshell, hackers enjoy the authority of Google. Email security services, looking at their emails, will probably decide that the message is not phishing and was sent on behalf of Google."
The Trojan is designed to communicate with a remote server, although so far the server does not respond to requests, which makes it difficult to determine exactly what types of malware can spread through it.
A legitimate tool for creating software packages called Advanced Installer continues to gain popularity among attackers. It is being exploited to install malware related to cryptocurrency mining on infected computers from November 2021.
"An attacker uses Advanced Installer to package other legitimate installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts." — explains Cisco Talos researcher Chetan Raghuprasad.
The key element of the attack is the Custom Actions function in Advanced Installer. It allows you to automate the processes when installing the program. The tool uses the PowerShell script M3_Mini_Rat, which acts as a backdoor, providing remote access to the system.
After activating the backdoor, the victim's computer installs the PhoenixMiner and lolMiner cryptocurrency miners. PhoenixMiner is engaged in mining Ethereum, which is popular for decentralized applications, and lolMiner is unique in that it can mine two cryptocurrencies simultaneously. This feature significantly increases the effectiveness of the attack.
After analyzing the nature of the infected applications, we can conclude that the victims probably work in the fields of architecture, engineering, construction, and entertainment. Software installers mostly use French, which means that French-speaking users are targeted.
Analysis of DNS queries sent to the hackers 'servers shows that the victims' footprint covers France and Switzerland, followed by isolated cases of infection in the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam.
Most likely, the attacks used the tactics of "SEO poisoning "or" poisoning " search engines in order to raise the rank of installers in search results.
Another example of exploiting legitimate funds is the attack scenario that the cybersecurity company Check Point recently studied. Attackers are using Google Looker Studio, a data visualization app, to create fake websites to steal cryptocurrencies. This algorithm allows you to bypass traditional security measures.
"In a nutshell, hackers enjoy the authority of Google. Email security services, looking at their emails, will probably decide that the message is not phishing and was sent on behalf of Google."
The Trojan is designed to communicate with a remote server, although so far the server does not respond to requests, which makes it difficult to determine exactly what types of malware can spread through it.
