Hackers have been using a Windows tool to drop cryptocurrency-mining malware since November 2021, according to an analysis from Cisco’s Talos Intelligence. The attacker exploits Windows Advanced Installer — an application that helps developers package other software installers, such as Adobe Illustrator — to execute malicious scripts on infected machines.
According to a Sept. 7 blog post, the software installers affected by the attack are mainly used for 3D modeling and graphic design. Additionally, most of the software installers used in the malware campaign are written in French. The findings suggest that the “victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries," explains the analysis.
The attacks predominantly affect users in France and Switzerland, with a few infections in other countries, including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, the post notes based on DNS request data sent to the attacker’s command and control host.
The illicit crypto mining campaign identified by Talos involves the deployment of malicious PowerShell and Windows batch scripts to execute commands and establish a backdoor in the victim’s machine. PowerShell, specifically, is well-known for running in the memory of the system instead of the hard drive, making it harder to identify an attack.
Once the backdoor is installed, the attacker executes additional threats, such as the Ethereum crypto-mining program PhoenixMiner, and lolMiner, a multicoin mining threat.
The use of crypto-mining malware is known as cryptojacking, and it involves installing crypto-mining code on a
Read more on cointelegraph.com