Fake MSI Afterburner targets Windows gamers using miners and info-stealers

MSI Afterburner

Windows gamers and power users are targeted by fake MSI Afterburner download portals to infect users with cryptocurrency miners and information-stealing RedLine malware.

MSI Afterburner is a GPU utility that allows you to configure overclocking, create fan profiles, capture video, and monitor the temperature and CPU usage of your installed graphics cards.

Although the utility is developed by MSI, it can be used by users of almost all graphics cards, which leads to its being used by millions of gamers worldwide who tweak settings to improve gaming performance, make their GPUs quieter and lower to reach temperatures.

However, the tool’s popularity has also made it a good target for threat actors looking to target Windows users with powerful GPUs that can be hijacked for cryptocurrency mining.

Impersonate MSI Afterburner

According to a new report from Cyble, over 50 websites masquerading as the official MSI Afterburner website have surfaced online in the last three months, pushing XMR (Monero) miners along with information-stealing malware.

Malicious website distributing bundled MSI Afterburner
Malicious website distributing bundled MSI Afterburner (cybel)

The campaign used domains that could trick users into believing they are visiting the legitimate MSI website and are easier to promote with BlackSEO. Some of the domains detected by Cyble are listed below:

  • msi-afterburner–download.site
  • msi-afterburner-download.site
  • msi-afterburner-download.tech
  • msi-afterburner-download.online
  • msi-afterburner-download.store
  • msi-afterburner-download.ru
  • msi-afterburner.download
  • mslaverburners.com
  • msi-afterburnerr.com

In other cases, the domains did not resemble the MSI brand and were likely promoted via direct messages, forums, and social media posts. Examples include:

  • git[.]git[.]skblxin[.]matrix car[.]network
  • git[.]git[.]git[.]skblxin[.]matrix car[.]network
  • git[.]git[.]git[.]git[.]skblxin[.]matrix car[.]network
  • git[.]git[.]git[.]git[.]git[.]skblxin[.]matrix car[.]network

Stealthy mining while stealing your passwords

Running the fake MSI Afterburner setup file (MSIAfterburnerSetup.msi) installs the legitimate Afterburner program. However, the installer will also silently delete and run the information-stealing malware RedLine and an XMR miner on the compromised device.

The miner is installed via a 64-bit Python executable named “browser_assistant.exe” in the local program directory, which injects a shell into the process created by the installer.

This shellcode retrieves the XMR miner from a GitHub repository and injects it directly into memory in the explorer.exe process. Since the miner never touches the hard drive, the chances of being detected by security products are minimized.

The miner connects to its mining pool with a hard-coded username and password, and then collects and exfiltrates basic system data to the threat actors.

One of the arguments used by the XMR miner is “CPU max threads”, which is set to 20, beating most modern CPU threads, so it’s set to capture all the available power.

XMRminer argument details
XMRminer argument details (cybel)

The miner will only stop mining after 60 minutes after the CPU has become idle, which means that the infected computer will not perform any resource-intensive tasks and will most likely remain unattended.

Also, it uses “-cinit-stealth-targets” argument, which is an option to pause mining activity and clear GPU memory when certain programs listed under “Stealth targets” are launched .

These can be process monitors, antivirus tools, hardware resource viewers and other tools that help the victim to detect the malicious process.

In this case, the Windows applications that the miner tries to hide from are Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe, and procexp64.exe.

While the miner is quietly hijacking your computer’s resources to mine Monero, RedLine has already been running in the background, stealing your passwords, cookies, browser information, and possibly all cryptocurrency wallets.

Unfortunately, almost all components of this fake MSI Afterburner campaign have poor antivirus software detection.

VirusTotal reports that the malicious setup file “MSIAfterburnerSetup.msi” is only detected by three out of 56 security products, while “browser_assistant.exe” is only detected by 2 out of 67 products.

To be safe from miners and malware, download tools directly from official websites and not from websites shared on forums, social media or direct messages.

In this case, the legitimate MSI Afterburner can be downloaded directly from MSI at www.msi.com/Landing/afterburner/graphics-cards.


Leave a Reply

Your email address will not be published. Required fields are marked *