The RedLine information-stealing software is being used by fakeMSI Afterburner download portals to get users to download it.
The Afterburner is a utility that allows you to monitor your graphics cards’ temperature and usage, as well as create fan profiles and perform video capturing.
The utility can be used by users of almost all graphics cards, leading to its use by millions of people worldwide who modify settings to improve game performance, make their graphics cards more silent and achieve lower temperatures.
The tool’s popularity has made it a good target for threat actors, who are looking to target Windows users with powerful graphics cards that can be hijacked for cryptocurrencies mining.
Impersonating a computer.
According to a new report by Cyble, over 50 websites pretending to be the official Afterburner site have appeared online in the last three months, pushing XMR miners along with information-stealing malware.
There is a malicious website pushing a software.
The campaign was able to trick users into thinking they were visiting a legitimate website by using domain names that are easier to promote using BlackSEO. Some of the websites spotted by Cyble are listed.
You can download the msi after burner.
You can download the msi after burner.
msi-afterburner download
You can download themsi afterburner.
The store has msi-afterburner.
msi after burner download.
You can download the msi afterburner.
There is a website called mslafterburners.com
There is a website called msi-after burnerr.com.
Direct messages, forums, and social media posts were used to promote the domains that did not resemble theMSI brand. Examples are included.
git[.]git[.]matriz auto.
git[.]git[.]matrizauto.
git[.]git[.]git[.]sk
git[.]git[.]git[.]sk.
Stealing your passwords is stealthy mining.
The legitimate Afterburner program will be installed when the fakeMSI Afterburner setup file is executed. The RedLine information-stealing malware and an XMR miner will be quietly dropped and run by the installer.
The miner is installed by injecting a shell into the process created by the installation.
This shellcode injects the miner directly into the explorer.exe process after retrieving it from a repository. Since the miner never touches the disk, there is less chance of being detected.
The miner connects to its mining pool using a hardcoded password and collects basic system data from threat actors.
One of the arguments used by the XMR miner is that it’s set to capture all available power by setting the maximum thread count to 20.
There is an XMRminer argument details.
The miner is set to mine after 60 minutes since the computer is most likely to be left unattended.
The “-cinit-stealth-targets” argument can be used to pause mining activity and clear the memory when specific programs are launched.
Hardware resource viewers, process monitors, and other tools help the victim spot the malicious process.
The Windows applications that the miner attempts to hide are Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe, and procexp64.exe.
While the miner is quietly hijacking your computer’s resources to mine Monero, RedLine has already run in the background stealing your passwords, cookies, browser information, and, potentially, any cryptocurrency wallet.
Most of the fakeMSI Afterburner campaign’s components have poor detection of software.
The ‘MSIAfterburnerSetup.msi’ setup file is only detected by three security products out of 56, while the ‘browser_assistant.exe’ is only detected by 2 products.
Tools can be downloaded directly from official sites to stay safe.
The legitimateMSI Afterburner can be downloaded from www.msi.com/Landing/afterburner/graphics-cards
