Mining Malware Operators Target Engineers and Graphic Designers with Powerful GPUs

Hackers are increasingly using the Windows tool Advanced Installer to infect the computers of graphic designers, architects, and engineers with mining malware. Attackers hide their malicious software in installers for popular 3D modeling and graphic design programs, including Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro.

Experts from Cisco Talos, who have observed this trend, report that the attacks are mainly targeting French-speaking users. Most victims are located in France and Switzerland, with a significant number of infections also noted in the United States, Canada, Germany, Algeria, and Singapore.

It appears that hackers are promoting the infected software using “black SEO” techniques, so that pirated software actually contains remote access trojans (RATs) and mining payloads. According to experts, attackers are focusing on specific targets because graphic designers, animators, and similar professionals often use computers with powerful graphics cards, making mining on these machines more profitable.

Attack Methods and Infection Chain

Researchers have identified two different attack methods used in this campaign. In both cases, attackers use Advanced Installer to create Windows installer files containing malicious PowerShell and batch scripts, which are executed when the installer is launched via the Custom Action feature. The attack methods differ in the scripts executed, the complexity of the infection chain, and the final payloads delivered.

Ultimately, these attacks result in the victim’s machine being infected with the M3_Mini_Rat remote access trojan, which allows hackers to conduct reconnaissance and install additional payloads on the system.

M3_Mini_Rat Loads Mining Payloads into Memory

The additional payloads include PhoenixMiner and lolMiner, which mine cryptocurrency and “steal” the computing power of AMD, Nvidia, and Intel (lolMiner only) graphics cards.

• PhoenixMiner is designed to mine Ethash-based coins (ETH, ETC, Musicoin, EXP, UBQ, and others).
• lolMiner supports several protocols, including Etchash, Autolykos2, Beam, Grin, Ae, ALPH, Flux, Equihash, Kaspa, Nexa, Ironfish, and more. The version of lolMiner observed in this campaign (1.76) also supports dual mining of two different cryptocurrencies at the same time.

These attacks highlight the growing trend of targeting professionals with high-performance hardware for illicit cryptocurrency mining, leveraging sophisticated infection chains and social engineering tactics.