攻击者利用仿冒的MSI Afterburner程序攻击Windows游戏玩家

攻击者利用仿冒的MSI Afterburner程序攻击Windows游戏玩家

微星加力燃烧室

Windows游戏玩家和高级用户正成为假冒MSI Afterburner下载门户的目标，用加密货币矿工和RedLine信息窃取恶意软件感染用户。

MSI加力器是一个GPU实用程序，允许您配置超频，创建风扇配置文件，执行视频捕获，并监控您安装的显卡的温度和CPU利用率。

虽然由MSI创建，但该实用程序可以被几乎所有显卡的用户使用，导致它被全球数百万玩家使用，他们通过调整设置来提高游戏性能，使他们的gpu更静音，并实现更低的温度。

然而，该工具的流行也使其成为威胁分子的一个很好的目标，他们正在寻找具有强大gpu的Windows用户，可以被劫持用于加密货币挖矿。

模拟MSI加力装置

根据Cyble的一份新报告，在过去的三个月里，超过50个假冒MSI加力站点的网站已经出现在网上，推动XMR (Monero)矿工连同窃取信息的恶意软件。

恶意网站推送花边MSI加力

恶意网站推送掺有MSI加力装置(Cyble)

该活动使用的域名可以欺骗用户，让他们以为自己访问的是合法的MSI网站，而且使用BlackSEO更容易推广。以下是Cyble发现的一些域名:

msi-afterburner——download.site 
msi-afterburner-download.site 
msi-afterburner-download.tech 
msi-afterburner-download.online 
msi-afterburner-download.store 
msi-afterburner-download.ru 
msi-afterburner.download 
mslafterburners.com 
msi-afterburnerr.com 

在其他情况下，这些域名不像MSI品牌，很可能是通过直接消息、论坛和社交媒体帖子进行推广的。例子包括:

git git [] [] skblxin [] matrizauto。净 
git git git [] [] [] skblxin [] matrizauto。净 
git git git [] [] [] git [] skblxin [] matrizauto。净 
git git git [] [] [] git git [] [] skblxin [] matrizauto。净 

偷偷挖矿，同时窃取你的密码

当假的MSI加力安装文件(MSIAfterburnerSetup.msi)被执行时，合法的加力程序将被安装。然而，安装程序也会悄无声息地删除并运行窃取RedLine信息的恶意软件和一个XMR矿机。

矿工是通过本地Program Files目录中名为“browser_assistant.exe”的64位Python可执行文件安装的，该文件将shell注入安装程序创建的进程中。

这个shell代码从GitHub存储库中检索XMR挖掘器，并将其直接注入到explorer.exe进程的内存中。由于矿工从不接触磁盘，被安全产品检测到的机会被降到最低。

矿工使用硬编码的用户名和密码连接到其采矿池，然后收集并向威胁参与者泄露基本系统数据。

XMR矿工使用的一个参数是将“CPU max threads”设置为20，超过大多数现代CPU线程数，因此它被设置为捕获所有可用的功率。

XMRminer参数详细信息

XMRminer参数细节(Cyble)

挖矿器被设置为只在60分钟后挖矿，因为CPU已经进入空转状态，这意味着受感染的计算机没有运行任何资源密集型任务，很可能无人看管。

此外，它使用了“-cinit-stealth-targets”参数，这是一个选项，当“隐身目标”下列出的特定程序启动时，可以暂停挖矿活动并清空GPU内存。

这些工具可以是进程监控器、防病毒工具、硬件资源查看器和其他帮助受害者发现恶意进程的工具。

在这种情况下，矿工试图隐藏的Windows应用程序是Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe和procexp64.exe。

当矿工正在悄悄劫持你的计算机资源来挖掘Monero时，红线已经在后台运行，窃取你的密码、cookie、浏览器信息，可能还会窃取任何加密货币钱包。

不幸的是，几乎所有的假冒MSI加力活动的组件都有很差的杀毒软件检测。

VirusTotal报告恶意的“MSIAfterburnerSetup.”56个安全产品中只有3个检测到Msi的设置文件，而67个安全产品中只有2个检测到browser_assistant.exe。

为了远离矿工和恶意软件，直接从官方网站下载工具，而不是在论坛、社交媒体或直接消息中共享的网站。

在这种情况下，合法的MSI加力可以直接从MSI在www.msi.com/Landing/afterburner/graphics-cards下载。

原文如下：

MSI Afterburner Windows gamers and power users are being targeted by fake MSI Afterburner download portals to infect users with cryptocurrency miners and the RedLine information-stealing malware. The MSI Afterburner is a GPU utility that allows you to configure overclocking, create fan profiles, perform video capturing, and monitor your installed graphics cards’ temperature and CPU utilization. While created by MSI, the utility can be used by users of almost all graphics cards, leading to its use by millions of gamers worldwide who tweak settings to improve game performance, make their GPUs more silent, and achieve lower temperatures. However, the tool’s popularity has also made it a good target for threat actors, who are looking to target Windows users with powerful GPUs that can be hijacked for cryptocurrency mining. Impersonating MSI Afterburner According to a new report by Cyble, over 50 websites impersonating the official MSI Afterburner site have appeared online in the past three months, pushing XMR (Monero) miners along with information-stealing malware. Malicious website pushing laced MSI Afterburner Malicious website pushing laced MSI Afterburner (Cyble) The campaign used domains that could trick users into thinking they were visiting the legitimate MSI website and which are easier to promote using BlackSEO. Some of the domains spotted by Cyble are listed below: msi-afterburner–download.site msi-afterburner-download.site msi-afterburner-download.tech msi-afterburner-download.online msi-afterburner-download.store msi-afterburner-download.ru msi-afterburner.download mslafterburners.com msi-afterburnerr.com In other cases, the domains did not resemble the MSI brand and were likely promoted via direct messages, forums, and social media posts. Examples include: git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net Stealthy mining while stealing your passwords When the fake MSI Afterburner setup file (MSIAfterburnerSetup.msi) is executed, the legitimate Afterburner program will be installed. However, the installer will also quietly drop and run the RedLine information-stealing malware and an XMR miner in the compromised device. The miner is installed through a 64-bit Python executable named ‘browser_assistant.exe’ in the local Program Files directory, which injects a shell into the process created by the installer. This shellcode retrieves the XMR miner from a GitHub repository and injects it directly into memory in the explorer.exe process. Since the miner never touches the disk, the chances of being detected by security products are minimized. The miner connects to its mining pool using a hardcoded username and password and then collects and exfiltrates basic system data to the threat actors. One of the arguments the XMR miner uses is ‘CPU max threads’ set to 20, topping most modern CPU thread count, so it’s set to capture all available power. XMRminer argument details XMRminer argument details (Cyble) The miner is set to mine only after 60 minutes since the CPU has entered idling, meaning that the infected computer is not running any resource-intensive tasks and is most likely left unattended. Also, it uses the “-cinit-stealth-targets” argument, which is an option to pause mining activity and clear GPU memory when specific programs listed under “stealth targets” are launched. These could be process monitors, antivirus tools, hardware resource viewers, and other tools that help the victim spot the malicious process. In this case, the Windows applications from which the miner attempts to hide are Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe, and procexp64.exe. While the miner is quietly hijacking your computer’s resources to mine Monero, RedLine has already run in the background stealing your passwords, cookies, browser information, and, potentially, any cryptocurrency wallets. Unfortunately, almost all of this fake MSI Afterburner campaign’s components have poor antivirus software detection. VirusTotal reports that the malicious ‘MSIAfterburnerSetup. msi’ setup file is only detected by three security products out of 56, while the ‘browser_assistant.exe’ is only detected by 2 out of 67 products. To stay safe from miners and malware, download tools directly from official sites rather than sites shared in forums, social media, or direct messages. In this case, the legitimate MSI Afterburner can be downloaded directly from MSI at www.msi.com/Landing/afterburner/graphics-cards.

来源：https://www.bleepingcomputer.com/news/security/fake-msi-afterburner-targets-windows-gamers-with-miners-info-stealers/

admin普通

收藏 海报 链接