A legitimate tool for creating software packages called advanced installer continues to gain popularity among attackers. It is being utilized to install malware associated with cryptocurrency mining on infected computers since November 2021.
“The attacker uses Advanced Installer to pack other legitimate installers, such as Adobe Illustrator, Autodesk 3DS Max, and Sketchup Pro, with malicious scripts,” explained Chetan Raghoprazad, a researcher from Cisco Talos.
The key attack element is the Custom Action function in Advanced Installer, which allows the automation of processes during program installation. The tool makes use of the PowerShell script M3_Mini_rat, functioning as a backdoor to provide remote access to the system.
Upon activation of the backdoor on the victim’s computer, the Phoenixminer and Lolminer cryptocurrency miners are installed. Phoenixminer is involved in Ethereum extraction, particularly popular for decentralized applications, while Lolminer allows for the mining of two cryptocurrencies simultaneously, making the attack more effective.
Based on an analysis of the nature of infected applications, it can be inferred that the victims most likely work in the architecture, engineering, construction, and entertainment sectors. The program installers primarily target French-speaking users.
An analysis of the DNS queries sent to the hackers’ servers reveals that the victims are predominantly located in France and Switzerland. Other cases of infection have been identified in the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.
Another example of attackers leveraging legitimate tools was identified by Check Point. The cybersecurity company recently analyzed an attack script that harnesses Google Looker Studio, a data visualization application, to create fake websites for cryptocurrency theft. This algorithm allows attackers to bypass traditional security measures.
“In a nutshell, hackers exploit the credibility of Google. By employing the appearance of being sent from Google, their phishing emails can evade detection by Email Security Services,” noted the researchers.
The Trojan discovered in this attack is designed to establish communication with a remote server. While the server has yet to respond to requests, it remains challenging to determine the specific types of malware that could be spread through it.