root Table of Contents
Introduction
Software like MSI Afterburner helps gamers and other users of high-performance computing. It keeps track of the system’s performance and lets users fine-tune the hardware settings for the most speed and responsiveness. Threat Actors (TAs) use malware attacks that mostly target these programs.
Cyble Research & Intelligence Labs (CRIL) found new phishing campaigns that target MSI Afterburner. TAs behind these campaigns made phishing pages that look like the official MSI Afterburner website. The TA ran a phishing website to spread coin-mining malware in MSI Afterburner installers.
Mining crypto takes time, energy, and resources. It requires GPUs. TAs can use a victim’s computer’s processing power to mine cryptocurrencies by bundling a coin-miner with Afterburner and installing it on their machine. Below is a TA’s phishing website.
How does the fake MSI Afterburner work?
Four separate executables, including “MSIAfterburnerSetup465Beta2.exe,” “install.exe,” a cabinet file called “comp.cab” that contains “redline stealer,” and “browser assistant.exe,” which loads XMR Miner, are included in the “MSIAfterburnerSetup.msi” installer file.
The installation wizard is displayed when the MSIAfterburnerSetup.msi file is run, and the user is walked through the steps necessary to set up the software.
The installer discreetly copies a file called “browser assistant.exe” to the Program Files folder and launches it. When run, “the browser assistant.exe” loads a shellcode that downloads the encoded XMR Miner binary from a GitHub repository and injects it into explore.exe.
By injecting malicious code into a running process, the malware secretly sets up XMR Miner without saving the actual payload to disk.
While doing so, the malware sends the victim’s system’s name, username, GPU, CPU, and other details to the below C&C (Command and Control) server API.
- hxxp[:]//45[.]87[.]0[.]89/api/endpoint[.]php
The below figure shows exfiltrated sensitive details from the victim’s machine.
How do I know I’m Compromised by the fake MSI Afterburner?
Here ‘s a table found at Cyble
| Indicators | Indicator Type | Description |
| 96a3469891a23e0aa49fd009979b668b a9205e91e5694bb60efe73892bf14652e065bf67 2279b8cf7a2b1fa13f1832b4dc0331bd9f971240f38b0fbd 694ed6aec093bb8d | MD5 SHA1 SHA256 | MSIAfterburnerSetup.msi |
| a9e09703d13de2fd20ca8aab4e02e7c8 a785b651aa699ba651e9fccd94f86fefff88cc6a 00e154eed00b71c0d11bd2caeb64fa2efcbb10524b797c0 76895752affa0f46c | MD5 SHA1 SHA256 | browser_assistant.exe |
| git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net www[.]matrizauto[.]net | Domain | Download Link |
| hxxp://45[.]87[.]0[.]89/api/endpoint[.]php | URL | Contacted URL |
| 104[.]20[.]67[.]143 | IP | Contacted IP |
Recommendations
- Users should routinely monitor their computers’ performance and CPU utilization.
- Businesses should take measures to stop their employees from using Warez and Torrent sites to illegally download software. Malware of this sort can be found in the “Hack Tool” that can be found on various websites like Torrent sites, YouTube, etc.
- Adding a prohibition on the use of end-user systems to download and install crypto mining software is a necessary update to most organizations’ information security policies and acceptable usage policies.
- To ensure that users always have the most up-to-date software on their desktop, mobile, and other devices, they should enable automatic updates.
- PCs, laptops, and mobile devices should all be protected by a reliable antivirus and internet security suite.
- Users should be taught as part of ongoing security training to avoid clicking on unfamiliar links and opening unfamiliar attachments in emails without first verifying their authenticity.
- Instruct workers on how to avoid security risks like phishing and visiting suspicious websites.
- Unexpected spikes in CPU and RAM utilization on endpoints and servers should be monitored for signs of a possible malware infection.
Conclusion
Malware is being actively spread via fake MSI Afterburner websites as part of an ongoing campaign to exploit gamers and other users of high-end computers for cryptocurrency mining. Threat actors (TAs) use a wide variety of methods, such as phishing emails, online advertisements, and other channels, to spread their malicious links. Malware could also be disseminated through TAs if they were used to infiltrate other specialized programs.
After installation, Afterburner will unleash the XMR miner, and it will start mining invisibly using the victim’s CPU and RAM to generate money for the attackers. Deterioration in system performance and exhaustion of the victim’s resources are the result. The efficiency of the victim (either as an individual or a group) is severely reduced.
1 comment
There’s definately a great deal to learn about his issue.
I lioke all the points you’ve made.