Malicious actors now use Windows tools to spread crypto-mining malware.
Cisco's Talos Intelligence has identified an ongoing hacking campaign using Windows Advanced Installer to distribute crypto-mining malware.
The campaign has been active since November 2021 and predominantly targets users in French-speaking countries.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
Candlesticks, Trendlines & Patterns Easily Explained (Animated Examples)
The hackers take advantage of Windows Advanced Installer, a tool commonly used by developers to package software installers like Adobe Illustrator. The malicious software focuses primarily on installers associated with 3D modeling and graphic design, as revealed in a blog post by Talos Intelligence on September 7th.
Most infected installers are written in French, making industries like architecture, engineering, and entertainment in French-dominant countries like France and Switzerland particularly vulnerable.
The attackers gain control by deploying malicious scripts using PowerShell and Windows batch commands. These scripts create a backdoor on the victim's computer, with PowerShell being especially elusive as it operates in the system's memory rather than the hard drive. Once the backdoor is established, the hackers launch additional malware, including well-known crypto-mining programs like PhoenixMiner and lolMiner.
These programs exploit the victim's computer's GPU capabilities to mine Ethereum (ETH) and other cryptocurrencies.
The campaign has a global reach, affecting users in countries like the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. Indicators that such malware may be running on a system include overheating and underperforming devices.
Cisco's Talos report noted that this is part of a broader trend of cybercriminals using known malware families to hijack devices and either mine or steal cryptocurrencies. Recently, BlackBerry uncovered malware campaigns targeting at least three sectors, including financial services, healthcare, and government.
The cryptojacking trend, wherein hackers exploit computing resources to illegally mine cryptocurrencies, continues to rise. This recent campaign using Windows Advanced Installer to distribute mining malware underscores the increasing sophistication of such attacks and the need for continued vigilance among users and corporations alike.