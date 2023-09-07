Cybercriminals have discovered a new method to target graphic designers, infecting their computers with cryptocurrency miners. The attackers are using a legitimate Windows tool called ‘Advanced Installer’ to distribute malicious scripts disguised as installers for popular 3D modeling and graphic design software.

The campaign, discovered by Cisco Talos, has been active since at least November 2021. The attackers are likely using black hat search engine optimization techniques to promote these infected installers. When users download and run the installers, they unknowingly install remote access trojans (RATs) and cryptomining payloads.

Graphics designers, animators, and video editors are the primary targets of this campaign. These professionals often use computers with powerful GPUs that have the capability to support higher mining hash rates, making them more profitable for the attackers.

Cisco’s analysts have identified two distinct attack methods used in this campaign. Both methods utilize Advanced Installer to create installer files packed with malicious PowerShell and batch scripts. These scripts are executed upon launching the installer. The first attack method sets up a recurring task running a PowerShell script that decrypts the final payload. The second attack method drops two malicious scripts that set up scheduled tasks to run PowerShell scripts.

The payloads delivered through these attacks include a remote access tool called M3_Mini_Rat, which gives attackers control over infected systems. The RAT can perform various functions such as system reconnaissance, process management, file system exploration, command and control tasks, file management, data transmission, and more. The other two payloads, PhoenixMiner and lolMiner, mine cryptocurrency by hijacking the computational power of graphics cards.

The attackers behind this campaign appear to be primarily interested in financial gain. The second attack method, which deploys cryptominers, focuses on swift financial gains at a higher risk of detection. The M3_Mini_Rat payload, on the other hand, allows the attackers to maintain discreet, prolonged access to target systems.

The campaign has primarily affected victims in France and Switzerland, with notable infections in the United States, Canada, Germany, Algeria, and Singapore. To protect against this type of attack, users should be cautious when downloading software from unofficial sources and ensure that they are using legitimate and up-to-date installers.

