malware Beware of fake MSI Afterburner currently circulating that installs cryptojacking and information-stealing malware

[BiG StroOnZ]

Summary

Cyble Intelligence and Research Lab (CRIL) discovered several phishing campaigns that use MSI Afterburner to deliver XMR (Monero) cryptomining and information-stealing malware via 50+ fake replica websites. These Researchers have found that a large number of websites have been impersonating MSI's official site to trick users into downloading malware alongside the overclocking tool.

 

 

 

 

Quotes

Quote

A cyber risk and security analysis company by the name of Cyble has discovered that there are a number of websites distributing a version of MSI Afterburner laced with various strains of malware. Those who accidentally download this widely popular graphics card utility via one of the cunningly crafted spoof domains could face malware issues such as; unwanted crypto mining software, and information stealing software.

 

Specific malware apps that are being duped with a genuine version of MSI Afterburner include; XMR Miner, and Redline Stealer. CRIL provides some technical details of both malware installations. For news purposes it is sufficient to say that these malware apps are secretly installed alongside the genuine MSI Afterburner, without user prompting, from download files with innocuous names like browser_assistant.exe, install.exe, and comp.cab – distributed by the fake sites.

 

As with other cryptojacking malware, the miner, which connects to a mining pool to mine Monero using a hardcoded username and password, takes up a huge amount of system resources, severely impacting performance. Bleeping Computer writes that the miner only activates 60 minutes after the CPU has entered idling, so the computer is not running any resource-intensive programs. It also means the device has probably been left unattended. While this is happening, the RedLine Stealer is running in the background, pilfering passwords, cookies, browser information, and (potentially) cryptocurrency wallets. Worst of all, the campaigns' malicious elements are only detected by a tiny number of antivirus programs, so discovering you've been infected might not be as easy as running a security tool.

 

My thoughts

Apparently this isn't the first time this has happened. Last year hackers created a duplicate of the official MSI Website containing a malware-loaded version of MSI Afterburner. This time around it seems to be much more prevalent, with many more websites appearing. I've had one of these crypto mining malware infections before, and it was a royal pain in the butt. Luckily, I found a way to mitigate it by turning off the internet. However, when the internet was connected it would drive my CPU and GPU to 100% utilization. I tried many various methods of removal, using some of the best anti-malware programs/anti-virus programs/anti-rootkit etc. But in the end reinstalling Windows was really the only viable option to get rid of all remnants of it. If you downloaded MSI Afterburner recently, it might be wise to double check whether or not you might be infected. If you got it from the official website though, you should be in good standing.

 

Sources

https://www.bleepingcomputer.com/news/security/fake-msi-afterburner-targets-windows-gamers-with-miners-info-stealers/

https://www.techspot.com/news/96763-beware-fake-msi-afterburner-installs-cryptojacking-information-stealing.html

https://www.techpowerup.com/301461/msi-afterburner-laced-with-malware-circulating-in-the-wild

https://hothardware.com/news/hackers-are-spoofing-msis-afterburner-utility-with-malware

https://www.eteknix.com/fake-msi-afterburner-software-riddled-with-malware/

[Shimejii]

Always good to be very mindful of what you click  Always surprising to see google allowing it tho

[Mark Kaine]

2 hours ago, huilun02 said:

have my MSI AB and Rivatuner firewalled right off the bat and update them manually from guru3d

i download it always straight from guru3d... any msi websites always seemed fishy to me, plus at one point they even linked directly to guru3d to download afterburner...

i mean, sure is weird it has the msi name anyway when its mostly (or only) one guy writing the program who doesn't work for msi (afaik)

 

 

7 hours ago, Shimejii said:

Always surprising to see google allowing it tho

well, in theory, chrome should give out a warning if you try to download a file from a new(ish) website,  which a fake msi website would probably count as... but not everyone uses chrome and maybe these websites found a way around it, not sure how it works exactly  

[Doobeedoo]

Yeah, always to make sure it's official site. Not those dubious ones.

[nurax1337]

The original site already looks like a phishing site, that makes it a little more difficult in this case imo...

I guess you could check their DigiCert SSL-cert, but it's obviously extra steps and you've got to know what to look for. (click on the lock-icon in your adressbar)

[NumLock21]

MSI makes it difficult to even find it on their own website, when you browse by category. that sucks, they need to fix it!

[Supreme Calamitas]

type in "Msi afterburner" in the search box, click the first link, click "download afterburner"

 

no malware, shock

 

 

[rcmaehl]

10 hours ago, Marko1600 said:

type in "Msi afterburner" in the search box, click the first link, click "download afterburner"

 

no malware, shock

 

 

Turned off my adblocker. My first link was a malicious ad. I reported it.

[ebprince the computer nerd]

probably made by an official nvidia card holder

 

All jokes aside, please check all URL's and try to trace it back to the original website. If that doesn't work, go to MSI's website and look it up there. You'll get the official website 99% of the time. Unless they make a fake official MSI website, but shhhh, don't tell them I said that.