Hackers have been exploiting a Windows tool to drop cryptocurrency-mining malware since November 2021, as revealed by an analysis from Cisco's Talos Intelligence. The attackers use Windows Advanced Installer, an application that assists developers in packaging software installers, to execute malicious scripts on infected machines.
The software installers affected by the attack are primarily used for 3D modeling and graphic design, and most of them are written in French. This suggests that the victims are likely from various industries, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries. The attacks mainly target users in France and Switzerland, with a few infections reported in other countries such as the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
The illicit crypto mining campaign identified by Talos involves deploying malicious PowerShell and Windows batch scripts to execute commands and establish a backdoor in the victim's machine. Once the backdoor is installed, the attacker executes additional threats, such as the Ethereum crypto-mining program PhoenixMiner and lolMiner, a multi-coin mining threat. This practice, known as cryptojacking, involves installing a crypto mining code on a device without the user's knowledge or permission to illegally mine cryptocurrencies. Signs that mining malware may be running on a machine include overheating and poorly performing devices.
