Fake MSI Afterburner infects users’ machines with miners and crooks

According to Cyble cybersecurity specialists, attackers distribute miners and the RedLine information stealer using download sites of the rogue MSI Afterburner utility. In the last three months, more than 50 such fake resources have appeared on the network.

Let me remind you that we also talked about that djvu Ransomware spreads via Discord, leading Red line Stealer, and also that IS specialists discovered a new version of malware from Russian hackers loli thief

MSI Afterburner is the most popular GPU overclocking, monitoring and tuning tool that can be used by owners of almost any video card and thanks to this it is used quite naturally by millions of gamers around the world.

Unfortunately, the popularity of the utility has made it a good target for cybercriminals who are abusing the fame of MSI Afterburner to attack Windows users with powerful graphics cards that can be used for cryptocurrency mining.

The researchers say that the campaign they found used multiple domains that users could mistake for the official MSI website (plus, such resources were easier to promote using “black hat SEO”). Some of these domains are listed below:

  1. msi-afterburner–download.site
  2. msi-afterburner-download.site
  3. msi-afterburner-download.tech
  4. msi-afterburner-download.online
  5. msi-afterburner-download.store
  6. msi-afterburner-download.ru
  7. msi-afterburner.download
  8. msafterburners.com
  9. msi-afterburnerr.com

Fake MSI Afterburner

fake site

In other cases, the domains did not attempt to imitate the MSI brand and were likely promoted directly through private messages, forums, and social media:

  1. git[.]git[.]skblxin[.]matrixcar[.]net
  2. git[.]git[.]git[.]skblxin[.]matrixcar[.]net
  3. git[.]git[.]git[.]git[.]skblxin[.]matrixcar[.]net
  4. git[.]git[.]git[.]git[.]git[.]skblxin[.]matrixcar[.]net

Running the fake MSI Afterburner setup file (MSIAfterburnerSetup.msi) from these sites installed the real Afterburner. But at the same time, the installer silently downloaded and launched the RedLine malware, which specializes in data theft, and the XMR miner on the victim’s device.

Once installed, the miner connects to your pool using an encrypted username and password, then collects and transmits basic system data to attackers. In this case, the CPU max threads value is set to 20, exceeding the number of threads for even the most modern processors. That is, the malware is configured to capture all the available power of the infected machine.

At the same time, the malware starts mining cryptocurrency only 60 minutes after the processor goes into standby mode, that is, it makes sure that the infected computer does not perform any resource-intensive tasks and, most likely, has been left unattended.

In addition, the miner uses “-cinit-stealth-targets”, which allows it to pause activity and clean up GPU memory when running certain programs listed in the stealth targets section. These can be process monitors, antivirus software, device hardware resource viewers, and other tools that can help the victim detect a malicious process. Experts write that the miner hides in Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe and procexp64.exe.

While the miner silently uses the victim’s system resources to mine moneyThe RedLine stealer works in the background, stealing passwords, cookies, browser information, and data from any cryptocurrency wallet.

the Cyble The report states that the components of this fake MSI Afterburner are being misdetected by antivirus software so far. For example, according to VirusTotalthe malicious setup file MSIAfterburnerSetup.msi is detected by only three security products out of 56, and the browser_assistant.exe file for only two products out of 67.

Leave a Comment