According to the latest report released by the security company Cyble, in the past 3 months, there have been at least 50 security incidents in which players mistakenly connected to the fake MSI Afterburner official website, their information was stolen, and their personal devices were used for mining.
The appearance of this phishing website is completely copied from the original MSI website, so there is no difference in appearance. These phishing sites include but are not limited to the following domain names:
-
msi-afterburner–download.site
-
msi-afterburner-download.site
-
msi-afterburner-download.tech
-
msi-afterburner-download.online
-
msi-afterburner-download.store
-
msi-afterburner-download.ru
-
msi-afterburner.download
-
mslafterburners.com
-
msi-afterburnerr.com
In some cases, the hackers used domains that did not resemble the MSI brand and were likely promoted through direct messages, forums, and social media posts. Examples include:
-
git[.]git[.]skblxin[.]matrixauto[.]net
-
git[.]git[.]git[.]skblxin[.]matrixauto[.]net
-
git[.]git[.]git[.]git[.]skblxin[.]matrixauto[.]net
-
git[.]git[.]git[.]git[.]git[.]skblxin[.]matrixauto[.]net
Once users connect to these phishing websites to download the MSI Afterburner installation file (MSIAfterburnerSetup.msi), the RedLine information stealing malware and XMR mining program will be quietly dropped and run during the installation process.
Miner is installed via a 64-bit Python executable called “browser_assistant.exe” in the local Program Files directory, which injects a shellcode into the handler created by the installer.
One of the parameters used by the XMR miner is “CPU max threads” set to 20, which is higher than most modern CPU threads, so it is set to capture all available power.
So even if you see the familiar official website, you still have to pay attention to whether there is a problem with the URL, so as not to accidentally let your computer become someone else’s mining machine.