Windows Advanced Installer Exploited to Secretly Deploy Crypto-Mining Malware

Cisco's Talos Intelligence has identified an ongoing hacking campaign using Windows Advanced Installer to distribute crypto-mining malware.

The campaign has been active since November 2021 and predominantly targets users in French-speaking countries.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Crypto Token VS Coin (Animated Explainer & Examples)

SUBSCRIBE

ON YOUTUBE

The hackers take advantage of Windows Advanced Installer, a tool commonly used by developers to package software installers like Adobe Illustrator. The malicious software focuses primarily on installers associated with 3D modeling and graphic design, as revealed in a blog post by Talos Intelligence on September 7th.

Most infected installers are written in French, making industries like architecture, engineering, and entertainment in French-dominant countries like France and Switzerland particularly vulnerable.

The attackers gain control by deploying malicious scripts using PowerShell and Windows batch commands. These scripts create a backdoor on the victim's computer, with PowerShell being especially elusive as it operates in the system's memory rather than the hard drive. Once the backdoor is established, the hackers launch additional malware, including well-known crypto-mining programs like PhoenixMiner and lolMiner.

These programs exploit the victim's computer's GPU capabilities to mine Ethereum (ETH) and other cryptocurrencies.

The campaign has a global reach, affecting users in countries like the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. Indicators that such malware may be running on a system include overheating and underperforming devices.

Cisco's Talos report noted that this is part of a broader trend of cybercriminals using known malware families to hijack devices and either mine or steal cryptocurrencies. Recently, BlackBerry uncovered malware campaigns targeting at least three sectors, including financial services, healthcare, and government.

The cryptojacking trend, wherein hackers exploit computing resources to illegally mine cryptocurrencies, continues to rise. This recent campaign using Windows Advanced Installer to distribute mining malware underscores the increasing sophistication of such attacks and the need for continued vigilance among users and corporations alike.

Gile K., Market Sentiment Analyst

Gile is a Market Sentiment Analyst who understands what public events may form what emotions. Her experience researching Web3 news and public market messages – including cryptocurrency news reports, PRs, and social network streams – is critical to her role in helping lead the Crypto News Editorial Team.
As an intelligent professional in public relations, together with the team, she aims to determine real VS fake news patterns, and bring her findings to anyone searching for unbiased news and events happening in the FinTech markets. Her expertise is uncovering the latest trustworthy & informative Web3 announcements to the masses.
When she's not researching the trustworthiness of mainstream stories, she spends time enjoying her terrace view and taking meticulous care of her outdoor environment.

Full Bio

All Expert Contributors & Analysts