Threat Research

Cybercriminals target graphic designers with GPU miners

Securonix

Talos reports a campaign that abuses Advanced Installer to drop GPU-coin-mining malware inside trojanized installers for graphic-design tools. The operation deploys M3_Mini_Rat as a backdoor and miners PhoenixMiner and lolMiner, targeting French-language software and users across France, Switzerland, and other regions. #AdvancedInstaller #M3_Mini_Rat #PhoenixMiner #lolMiner #EthereumClassic #ETC #ZelHash #DuckDNS #sysnod

Keypoints

  • The campaign repurposes a legitimate Windows tool, Advanced Installer, to bundle malicious scripts with installers for 3-D modeling/graphic-design software.
  • The attackers use Advanced Installer’s Custom Actions to execute malicious scripts during installation, enabling persistence and payload deployment.
  • Two primary payload tracks are used: the M3_Mini_Rat backdoor and GPU miners (PhoenixMiner and lolMiner) for Ethereum Classic and ZelHash.
  • Victims are mainly in French-language contexts (France/Switzerland) and include users across architecture, engineering, construction, manufacturing and entertainment sectors.
  • The mining campaign shows wallet activity in Ethereum Classic and ZelHash, with wallet addresses linked to mining proceeds and a timeline indicating activity ramping up since 2021.
  • The attackers’ infrastructure includes C2 domains and servers (e.g., sysnod.duckdns.org) and multiple loader stages (PS scripts, encrypted binaries) that are dropped and decrypted on the host.

MITRE Techniques

  • [T1218.005] Signed Binary Proxy Execution – Msiexec – The attackers use msiexec.exe to execute the dropped malicious batch through the trojanized installer. Quote: “The attack sequence is initiated when a victim clicks on a legitimate software installer, which the attacker bundled with a malicious script using Advanced Installer. The installer then drops a malicious batch script named “core.bat” and the legitimate PE executable “viewer.exe,” an Advanced Installer component as “MSI72E2.tmp” in the local user profile application data temporary folder. To execute the malicious script, the attackers abused Advanced Installer’s Custom Action feature by including command-line arguments to execute the dropped malicious batch file.”
  • [T1059.001] PowerShell – The campaign uses PowerShell loaders (cor.ps1, PS-2) and a PowerShell downloader to decrypt and execute payloads. Quote: “drops a malicious PowerShell loader script named “cor.ps1” (PS-1) and an encrypted file named “core.bin” which is the M3_Mini_RAT client stub.”
  • [T1105] Ingress Tool Transfer – The PowerShell downloader fetches a malicious ZIP from attacker-controlled servers to %windir%, then unzips to drop PS-2, ENC-2 and the PhoenixMiner binary. Quote: “The downloaded PowerShell loader downloads a malicious ZIP archive from an attacker-controlled server to the %windir% location on the victim’s machine. It unzips its contents to drop another PowerShell loader script “core.ps1” (PS-2), an encrypted file (ENC-2), and an Ethash miner called PhoenixMiner executable…”
  • [T1053.005] Scheduled Task – The malware creates tasks (e.g., ViGEmBusUpdater, MSI Task Host – Detect_Monitor) to run PowerShell loaders at defined intervals. Quote: “The malicious batch script “core.bat,” which was dropped during the initial execution stage of the software installer, contains a command to configure the task scheduler in the victim’s machine… schtasks /create …”
  • [T1140] Deobfuscate/Decode Files or Information – The encrypted payloads are decrypted to generate and execute the M3_Mini_Rat client stub and PowerShell loaders. Quote: “decrypts the encrypted file “core.bin” to generate the M3_Mini_Rat client stub.”
  • [T1036] Masquerading – The attacker uses file names like svhost.exe to resemble legitimate svchost.exe, attempting to evade detection. Quote: “The PowerShell launcher runs PhoenixMiner… The attacker uses the filename “svhost.exe,” which closely matches the legitimate Windows executable filename “svchost.exe” in the Windows systems folder, possibly trying to go unnoticed…”
  • [T1095] Non-Application Layer Protocol – The M3_Mini_Rat client communicates with a C2 over a TCP channel (port 3434), indicating a non-application-layer C2 path. Quote: “the RAT client connects to the command and control server by establishing a TCP connection on port 3434.”

Indicators of Compromise

  • [Domain] – sysnod.duckdns.org – attacker-controlled C2 domain used to host/load components.
  • [IP Address] – 104.244.76.183, 79.134.225.70, 79.134.225.124, 51.178.39.184 – DNS resolutions and hosting historically tied to C2/infrastructure.
  • [Wallet Address] – 0xbEB015945E9Da17dD0dc9A4b316f8F3150d93352, 0xbCa8d14Df89cc74B158158E55FCaF5022a103795 – Ethereum Classic related wallets used by miners.
  • [Wallet Address] – t1KHZ5Piuo4Ke7i6BXfU4, t1KHZ5Piuo4Ke7i6BXfU4A – ZelHash (FLUX) related wallet addresses.
  • [Filename] – core.bat, core.ps1, core.bin, viewer.exe – dropped/encrypted payloads and loaders during installation.
  • [Filename] – MSI72E2.tmp – temporary Advanced Installer artifact used during the drop.
  • [Domain] – phoenixminer.org – miner download source; [Domain] – educu.xyz – miner pool domain for lolMiner.

Read more: https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/