Windows Advanced Installer exploited to deploy mining malware

Getting your Trinity Audio player ready...

New research has uncovered a 2-year-old scheme hackers use to illegally mine digital currencies using the computing power of unsuspecting victims.

According to Cisco’s Talos Intelligence report, cybercriminals are leveraging Advanced Installer, a Windows tool used for deploying software packages, to drop digital currency mining malware on devices.

Per the report, bad actors place malicious scripts on the installer to set up mining operations on compromised devices. The report noted the malware explicitly targets enterprises involved in architecture, engineering, manufacturing and construction, given the large sizes of their computing power.

The hackers’ end goal is the installation of digital currency mining programs Phoenixminer and IoIMiner on victims’ devices.

“These malicious scripts are executed using Advanced Installer’s Custom Action feature, which allows users to predefine custom installation tasks,” read the report. “The final payloads are PhoenixMiner and IoIMiner, publicly available miners relying on computers’ GPU capabilities.”

The report noted that most victims are primarily based in France and Switzerland, but a heat map indicates a noticeable presence in the U.S., Canada, Tunisia, Madagascar, and Vietnam. French-speaking individuals are more likely to fall victim to the scheme as the software installers relied on by the bad actors are typically written in French text.

Since beginning its operation, Tallos Intelligence suggests that the scheme has netted the syndicate profits running into millions of dollars. On-chain analysis reveals that the plan focuses specifically on mining Ethereum Classic (ETC) and FLUX (ZelHASH), notably mining $800 worth of assets in a single day.

The attackers rely on multiple wallet addresses and privacy tools to blur the movement of funds with the public urge to take necessary safeguards, including watching out for indicators of a compromise. Aside from technical indicators, other telltale signs of mining malware on devices include lags and overheating.

In August, Blackberry’s cybersecurity arm announced it prevented over 1.5 million cyberattacks in Q2 from bad actors seeking to mine or steal digital currencies from unsuspecting users.

Mining receives jolt in the Middle East

While mining firms continue to bear the pressures of an extensive bear market, the United Arab Emirates is throwing its weight behind digital currency mining as part of efforts to be a leading Web3 hub.

Apart from a growing number of state-backed digital currency mining hubs, new data indicates a strong presence of small pockets of miners across the UAE’s seven emirates. The figures put the UAE in pole position ahead of Saudi Arabia, Qatar, Oman, and Kuwait in generating BTC hashrates.

In North America, mining firms are undergoing a rebrand to include artificial intelligence and cloud computing as part of their offerings in the search for new revenue streams.

Watch: Gorilla Pool provides end to end solution for ASIC mining