Cyble Research & Intelligence Labs (CRIL) recently uncovered a phishing campaign used by threat actors to deliver cryptocurrency miner softwares using utility software tools.
This particular campaign exploited the well-known MSI Afterburner, used widely by gamers and other high-performance computing users. Due to being one of the better-known graphics card software used to monitor system performance, allow users to modify the hardware settings to enhance the system’s performance and to overclock the best graphics cards on the market.
The threat actors employ various methods to distribute the malware including the use of emails, online advertisements, forums, and other mediums. In the last three months, Cyble has identified approximately 50 phishing websites, all targeting MSI Afterburner to deliver malware.
The threat actors who created these websites made sure to design sophisticated phishing pages that mimicked the legitimate MSI Afterburner sites to lure users into downloading coin-miner malware that performed the crypto-mining process.
However, fraudulent websites can be spotted by looking at the domain names. Cyble has identified some of the fake domains, such as (MSI-afterburner-download.site), (msi-afterburner.download) and (mslafterburners dot com.) Some are already offline, but more are likely to show up.
The payload of malware is delivered bundled with legitimate MSI Afterburner installers and after installation, it starts the process of hijacking the victim’s computer, collecting sensitive information such as computer name, username, GPU, CPU, and other details from the system. The technical details are explained in Cyble’s analysis report.
Crypto mining requires dedicated hardware like GPUs because it is a power and resource-intensive activity. By hijacking the processing power of the victim’s machine, the threat actors can mine cryptocurrencies without their consent. This severely decreases the victim’s overall system performance and drains their system resources, significantly affecting the productivity of the victim user or organization.
There are quite a few measures that users can take to ensure that their device does not become a victim of such a phishing campaign. It is advised that you check your system performance and CPU usage periodically, avoid downloading pirated software from Warez/Torrent and rely on official websites only.
Moreover, turn on the automatic software update feature on your devices, use reputed antivirus, refrain from opening untrusted links and email attachments and monitor endpoints and servers for unexpected spikes in CPU and RAM utilization that could reveal potential malware infection.
