Cyble Intelligence and Research Lab (CRIL) discovered several phishing campaigns that use MSI Afterburner to deliver XMR (Monero) cryptomining and information-stealing malware via 50+ fake replica websites. MSI Afterburner is a free utility that lets you overclock, monitor, benchmark, and video capture. It works on all graphics cards, making it very popular for those looking to squeeze every drop out of their GPU. You can download it safely here.
But that popularity has seen cybercriminals turn to MSI Afterburner as a way of distributing malware. CRIL writes that the campaigns involve phishing emails, online ads, and various other means of spreading links to the fake websites. Some of the domain names include msi-afterburner-download.site, msi-afterburner.download, and mslafterburners.com. Anyone who downloads and executes the fake MSI Afterburner setup file will find that the real version of the software is installed. However, the installer also adds the RedLine information-stealing malware and an XMR miner to the device. As with other cryptojacking malware, the miner, which connects to a mining pool to mine Monero using a hardcoded username and password, takes up a huge amount of system resources, severely impacting performance. Bleeping Computer writes that the miner only activates 60 minutes after the CPU has entered idling, so the computer is not running any resource-intensive programs. It also means the device has probably been left unattended. While this is happening, the RedLine Stealer is running in the background, pilfering passwords, cookies, browser information, and (potentially) cryptocurrency wallets. Worst of all, the campaigns’ malicious elements are only detected by a tiny number of antivirus programs, so discovering you’ve been infected might not be as easy as running a security tool. This isn’t the first time Afterburner has been used to deliver malicious programs. MSI last year warned people not to visit a duplicate of its official website created by hackers, which contained a malware-loaded piece of software disguised as the overclocking app.