Security researchers at Cisco Talos have uncovered a scheme that preys on graphic designers and 3D modelers. Cyber-criminals are using cryptocurrency-mining malware to hijack the Graphics Processing Units (GPUs) commonly used in these fields.
According to an advisory published by Cisco Talos on Thursday, this campaign has been active since at least November 2021. The attackers exploit “Advanced Installer,” a legitimate Windows tool for software packaging, to bundle cryptocurrency-mining malware with legitimate software like Adobe Illustrator and Autodesk 3ds Max.
The reason behind this campaign’s focus on graphic design and 3-D modeling software is the high GPU power these tools demand, which suits the cyber-criminals’ cryptocurrency-mining needs. Cisco Talos explained these threat actors sneaked malicious scripts into the software installation process using Advanced Installer’s “Custom Actions” feature, enabling them to deploy threats.
The payloads include the M3_Mini_Rat client stub, creating a backdoor, and cryptocurrency-mining malware like PhoenixMiner and the versatile lolMiner.
“Cryptocurrency mining, especially on machines with high-end GPUs, can be lucrative, and the malware can often run stealthily in the background, consuming just a fraction of available resources. This allows the malicious activity to persist longer, potentially going unnoticed by the users,” explained Callie Guenther, cyber threat research senior manager at Critical Start.
“Moreover, the approach of trojanizing popular software installers offers threat actors an easier distribution method. Leveraging tactics like search engine optimization poisoning can lead to a higher rate of downloads and subsequent infections.”
This campaign mainly affects French-speaking users, primarily in France and Switzerland. However, there have been isolated infections in countries including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam.
Graphic designers and 3-D modelers are advised to be cautious when installing software.
“Long-running, persistent campaigns like this are subtle and difficult to detect but can have a lasting impact on organizations,” commented Shawn Surber, senior director of technical account management at Tanium.
“This is also a great example of why operations and security teams need to work together across their traditional silos. Once inside, this type of attack is virtually invisible to traditional security tools. Hence, it’s important that operational tools, like performance monitoring, be tuned to observe and alert on anomalous behavior like this.”