Headline
Cybercriminals target graphic designers with GPU miners
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines.
Thursday, September 7, 2023 08:09
- Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021.
- The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts.
- The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design, and most of them use the French language, indicating that the victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries.
- The payloads include the M3_Mini_Rat client stub — which allows the attacker to establish a backdoor and download and execute additional threats, the Ethereum cryptocurrency-mining malware PhoenixMiner, and lolMiner, a multi-coin mining threat.
- Cybercriminals are likely exploiting these particular software installers because of their need for high Graphics Processing Unit (GPU) power to function, which adversaries rely on to mine cryptocurrency.
Victimology
The attacks predominantly target users in France and Switzerland, with a few infections in other geographic areas, including the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, according to our analysis of the DNS request data sent to the attacker’s command and control (C2) host. Most of the software installers used in this campaign are written in French, supporting our observation that this campaign primarily targets French-speaking users.
The campaign likely affects business verticals such as architecture, engineering, construction, manufacturing and entertainment, as the attackers use software installers specifically created for 3-D modeling and graphic design. These industries are likely attractive targets for illicit cryptomining as they use computers with high GPU specifications and powerful graphics cards useful for generating cryptocurrency.
Campaign overview: Cybercriminals abuse Advanced Installer to execute cryptominers
Talos discovered an ongoing illicit cryptocurrency mining campaign that deploys malicious payloads by abusing the tool Advanced Installer. This is a legitimate tool designed to create software packages for Windows. However, the attackers used it to package legitimate software installers with malicious PowerShell and Windows batch scripts. These malicious scripts are executed using Advanced Installer’s Custom Action feature, which allows users to predefine custom installation tasks. The final payloads are PhoenixMiner and lolMiner, publicly available miners relying on computers’ GPU capabilities.
An example of a software installer packaged with malicious scripts using Advanced Installer.
In the same time frame, we also observed that the attacker deployed the M3_Mini_Rat client stub using tactics, techniques and procedures (TTPs) that are highly similar to the mining activity. A stub is a piece of code that translates parameters sent between the client and server during a remote procedure. The M3_Mini_Rat client stub is a PowerShell script generated by the M3_Mini_Rat and establishes a backdoor to the victim’s machine. We could not determine if this backdoor was leveraged for cryptomining, however, we assessed the activity as likely part of the same mining campaign that deployed PhoenixMiner and lolMiner. In both instances, the attacker abused Advanced Installer and its Custom Actions feature to deploy malicious scripts, and the attack sequences and naming conventions are highly similar, as detailed in the methodology section below.
Attacker’s infrastructure
Analysis of the infrastructure used in this campaign revealed location data for the attacker-controlled C2 servers and other malware deployed from these servers in previous campaigns. The C2 server had the domain sysnod[.]duckdns[.]org, which resolved to an IP 104[.]244[.]76[.]183 in Luxembourg. Based on passive DNS resolution data, we discovered the domain sysnod[.]duckdns[.]org had previously resolved to the IPs 79[.]134[.]225[.]70 and 79[.]134[.]225[.]124 in Germany. In different malicious campaigns, these servers were operated as C2 servers for various RATs, including Nanocore, njRAT and AsyncRAT, suggesting that they were likely used by the same attacker in their previous campaigns. In another iteration of this mining campaign, the attacker had a malicious download server with the IP address 51[.]178[.]39[.]184 in France, which staged the intermediate PowerShell loaders, the encrypted PowerShell launcher scripts, PhoenixMiner and lolMiner.
The attacker has used multiple wallet addresses since the campaign began in 2021 to facilitate mining different cryptocurrencies. In this campaign, we observed the attacker using the wallet addresses “0xbEB015945E9Da17dD0dc9A4b316f8F3150d93352” and “0xbCa8d14Df89cc74B158158E55FCaF5022a103795” for Ethereum Classic (ETC) and for FLUX (ZelHash) they used “t1KHZ5Piuo4Ke7i6BXfU4” and “t1KHZ5Piuo4Ke7i6BXfU4A.” Talos’ analysis of ETC transactions in the blockchain revealed that the attacker had made cryptocurrency transfers to several other wallets from those parent wallets. Based on this data, we compiled a timeline of the attacker’s mining activity and the number of ETCs mined since November 2021.
After only mining a few Ethereum in November and December 2021, their activity took off in October 2022. In January 2023, the adversaries generated more than 50 Ethereum Classic, and on July 9, 2023, alone mined more than 50 (the equivalent of about $800 USD based on current values).
Two methodologies used to establish a backdoor or implant cryptominers
Talso discovered two multi-stage attack methodologies the attacker employed in this campaign. The first methodology shows how the M3_Mini_Rat client stub was installed and used to establish a backdoor to the victim’s machine. The second outlines how PhoenixMiner and lolMiner were implanted for cryptomining. We could not determine how the trojanized software installers were initially delivered to the victims’ machines. In the past, we have commonly seen such trojanized installers delivered using the search engine optimization (SEO) poisoning technique.
Attack method 1: Installing M3_Mini_Rat client stub
Summary of the first attack method.
The attack sequence is initiated when a victim clicks on a legitimate software installer, which the attacker bundled with a malicious script using Advanced Installer. The installer then drops a malicious batch script named “core.bat” and the legitimate PE executable “viewer.exe,” an Advanced Installer component as “MSI72E2.tmp” in the local user profile application data temporary folder. To execute the malicious script, the attackers abused Advanced Installer’s Custom Action feature by including command-line arguments to execute the dropped malicious batch file.
During the installation process, msiexec.exe, an executable program of the Windows Installer used to interpret installation packages and install products on target systems, runs “MSI72E2.tmp (viewer.exe)” with the configured command-line arguments, which executes the malicious batch script. The example identified while analyzing the sample in our sandbox is shown below:
msiexec.exe C:\Windows\Installer\MSI72E2.tmp /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow “C:\Users\user\AppData\Local\Temp\core.bat”
Then, the software installer creates a folder called “webgard” in the local user profile roaming folder, and drops a malicious PowerShell loader script named “cor.ps1” (PS-1) and an encrypted file named “core.bin” which is the M3_Mini_RAT client stub.
The malicious batch script “core.bat”, which was dropped during the initial execution stage of the software installer, contains a command to configure the task scheduler in the victim’s machine. It creates a task named “ViGEmBusUpdater” that runs every minute to execute the malicious PowerShell loader script in the “webgard” folder. The attacker may have chosen the name “ViGEmBusUpdater” to evade detection by masquerading as the legitimate “ViGEmBusUpdater” executable. The task scheduler command is shown below:
schtasks /create /NP /sc minute /mo 1 /tn “ViGEmBusUpdater” /tr " ‘powershell’ -ExecutionPolicy ByPass -WindowStyle Hidden %appdata%\Webgard\cor.ps1" /f
The “ViGEmBusUpdater” task executes the malicious PowerShell loader script and decrypts the encrypted file “core.bin” to generate the M3_Mini_Rat client stub and run it in the victim’s machine memory. The M3_Mini_Rat client stub attempts to connect to the C2, however, during our analysis, the C2 was unresponsive, so we were unable to observe any subsequent payloads deployed, particularly cryptominers.
Screen capture of the PowerShell loader (PS-1).
Attack method 2: Installing PhoenixMiner and lolMiner
Summary of the second attack method.
In the second method, the attacker also abuses Advanced Installer and its Custom Actions feature to drop malicious batch scripts. As in method one, user interaction is required to run the software installer that has been bundled using Advanced Installer, which drops “viewer.exe” as a temporary file with a random filename and “core.bat” in the local user profile application data temporary folder. The second method is slightly different, as the installer is also bundled with a second batch script called “win.bat” that is dropped and saved alongside the other files. Then, “viewer.exe” executes the two dropped batch files based on the Custom Action commands, as previously outlined.
Another similarity between the two methods is that the software installer creates a folder, in this instance called “Winsoft,” in the local user roaming profile and drops a malicious PowerShell loader script “core.ps1” (PS-1) and an encrypted file “core.bin” (ENC-1).
The malicious batch script “win.bat” configures the task scheduler by creating a task “MSI Task Host - Detect_Monitor” to run every two hours to execute the malicious PowerShell loader script “core.ps1” (PS-1) from the location “%appdata%\winsoft.” The task scheduler commands executed by “win.bat” are shown below.
Win.bat
schtasks /create /NP /sc minute /mo 120 /tn “MSI Task Host - Detect_Monitor” /tr " ‘powershell’ -ExecutionPolicy ByPass -WindowStyle Hidden %appdata%\Winsoft\core.ps1" /RL HIGHEST /f
When the scheduled task “MSI Task Host - Detect_Monitor” is run, the PowerShell loader script (PS-1) is executed, which decrypts the encrypted file “core.bin” (ENC-1), generating and executing a PowerShell downloader script.
Screen capture of the dropped PowerShell loader (PS-1).
The PowerShell downloader downloads a malicious ZIP archive from an attacker-controlled server to the %windir% location on the victim’s machine. It unzips its contents to drop another PowerShell loader script “core.ps1” (PS-2), an encrypted file (ENC-2), and an Ethash miner called PhoenixMiner executable with “svhost.exe” as the filename.
A snippet of the PowerShell downloader which runs in the victim’s machine memory.
The malicious batch script, “core.bat,” has the command to create the task “ViGEmBusUpdater” and configures it to run every minute to execute the downloaded PowerShell loader script (PS-2) from the location %windir%. The task scheduler commands executed by core.bat are shown below.
core.bat
schtasks /create /ru SYSTEM /sc minute /mo 1 /tn “ViGEmBusUpdater1” /tr " ‘powershell’ -ExecutionPolicy Bypass %windir%\core.ps1" /f
The downloaded PowerShell loader script (PS-2) is executed from the %windir% location when the scheduled task “ViGEmBusUpdater” runs which will decrypt the dropped encrypted file (ENC-2) to generate and execute a PowerShell launcher script in the victim’s system memory.
Screen capture of the downloaded PowerShell loader (PS-2).
The PowerShell launcher runs PhoenixMiner from the victim machine’s Windows systems folder with the Ethereum Classic mining parameters. The attacker uses the filename “svhost.exe,” which closely matches the legitimate Windows executable filename “svchost.exe” in the Windows systems folder, possibly trying to go unnoticed or undetected by the malicious process-scanning engines of endpoint security products.
Screen capture of the PowerShell launcher that executes in memory to run PhoenixMiner.
In our analysis of another trojanized software installer sample, the attack chain remains the same as the second attack method except for the payload, which is the lolMiner. The attacker gave lolMiner the file name “svshost.exe,” possibly to masquerade as “svchost.exe,” dropped it in the location %windir%, and ran it using the PowerShell launcher script for FLUX (ZelHash) mining.
Payloads
The payloads delivered in this campaign are an M3_Mini_Rat client, an Ethash miner called PhoenixMiner, or lolMiner.
M3_Mini_Rat Client to establish a backdoor
M3_Mini_Rat client is a PowerShell script with remote administration capabilities that mainly focuses on performing system reconnaissance and downloading and executing other malicious binaries. The RAT client is built with a builder associated with the administration panel for M3_Mini_Rat, a .Net application whose author is called “Mr3.” Version 0.1 is currently the only one in the wild. The RAT uses its administration panel to perform remote administration activities on the victim’s machine via the RAT client after successfully implanting the RAT client stub. From the administration panel, the RAT can perform several remote administration functionalities, including File System activities, capturing screenshots, executing arbitrary commands, and sending files to the victim’s machine by loading them into the victim’s system memory or dropping them in the filesystem.
An example of the M3_Mini_Rat administration console.
When executed in the victim’s system memory, the RAT client stub connects to the command and control server by establishing a TCP connection on port 3434. Once successfully connected, an attacker can perform remote administration tasks shown in the M3_Mini_Rat administration panel and send commands for the RAT client to serve.
A sample code snippet of M3_Mini_Rat client stub showing C2 connection instructions.
The RAT client can execute the following commands:
Commands
Function
pc
Performs the reconnaissance and collects the data, including username, desktop name, operating system version, anti-virus, .Net status, CPU and GPU.
cl
Exit the RAT client.
dis
Disposes the data in the TCP stream and closes the connection
opr
Lists all of the running processes and collects the process IDs.
prc
Lists all running processes and collects the process IDs and executable path.
kpr
Stops the specific process with the target process ID as directed by the C2.
sh
Checks if the Citrix connection center server is running by checking if the main window title of the running process is “concentr.exe.”
frm
Sends the data to the C2 server.
drv
Enumerates the filesystem object and lists the logical drive names in the victim’s machine, and sends the recon data to the C2.
fld
Gets the details of the target folder specified by the C2.
dwn
Downloads the data as base64 encoded strings, decodes them and writes them to the variable defined in the RAT client script. Then the RAT client will send the decoded data back to the C2.
runas
Runs the malicious executable that is sent by C2.
up
Downloads the base64 encoded binary/data into a path specified by the attacker on the victim’s machine.
uns
Exit the RAT client instance.
up1
Downloads the base64 encoded binary by decoding and writing it to a specified filename as directed by the C2 in the %AppData%\local\Temp folder and starts the dropped binary.
img
Checks if the payload is dropped properly by reading the contents of the dropped file and converting them into base64 encoded data stream, and uploading it to the C2 stream.
mf
Renames the downloaded file with the filenames as directed by the C2.
df
Deletes the dropped file.
cvs
Write the data to the C2 TCP stream.
PhoenixMiner to mine ETC
PhoenixMiner is an Ethash (ETH, ETC, Musicoin, EXP, UBQ, etc.) miner that supports AMD and Nvidia cards and works on the Ethash cryptocurrency algorithm. When executed, it utilizes the victim’s computer GPU power to mine Ethash. It is publicly available to download through the URL hxxps[://]phoenixminer[.]org.
In this campaign, the attacker uses the cryptocurrency mining pool parameters for the PhoenixMiner, as shown below:
Pool parameters
value
Description
pool
eu1-etc[.]ethermine[.]org[:]4444
Ethash Pool address
pool2
ssl[://]eu1-etc[.]ethermine[.]org[:]5555
Failover ethash pool address
wal
0xbEB015945E9Da17dD0dc9A4b316f8F3150d93352
0xbCa8d14Df89cc74B158158E55FCaF5022a103795
Crypto wallet address
worker
Rig0 and RigY
Worker name
pass
x
Ethash wallet password
proto
3
qtminer as the stratum protocol for the ethash pool
log
0
No logs to be written
powlim
75
GPU power limit to 75%
fanmax
65
System fan control maximum speed to 65%
coin
etc
Ethereum Classic
lolMiner to mine Flux
lolMiner is a cryptocurrency miner that uses the GPU capabilities of the computers to mine a variety of cryptocurrencies. It supports AMD, Nvidia and Intel cards. The LolMiner identified in this campaign is version 1.76, publicly available on GitHub. It can also mine two different cryptocurrencies at the same time.
The attacker in this campaign uses lolMiner to mine the FLUX (ZelHash) using the mining parameters shown below:
Pool parameters
value
Description
algo
FLUX
Algorithm to mine
pool
educu[.]xyz[:]9999
Mining pool to mine
user
t1KHZ5Piuo4Ke7i6BXfU4
t1KHZ5Piuo4Ke7i6BXfU4A
Wallet or pool user account to mine
pl
75
The Power limit values for GPUs
tstop
70
Temperature to pause or stop a GPU from mining
tstart
65
Minimal temperature for a GPU to start mining.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62325.
ClamAV detections are available for this threat:
Win.Backdoor.M3MiniRAT-10007342-0
Win.Trojan.MaliciousInstaller-10007344-0
Win.Loader.PowerShellDecrypter-10007381-0
Win.Trojan.MaliciousInstaller-10007345-0
Win.Coinminer.PhoenixMiner-10007386-0
Win.Coinminer.lolMiner-10007385-0
Orbital Queries
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the link here.
Indicators of Compromise
Indicators of Compromise associated with this threat can be found here.