Fake MSI graphics card overclocking tool Afterburner floods websites, hijacks Microsoft Win10/Win11 devices for mining

According to security firm Cyblelatest reportin the past 3 months, there have been at least 50 security incidents in which players mistakenly connected to the fake MSI Afterburner official website, their information was stolen, and their personal devices were used for mining.

The appearance of this phishing website is completely copied from the original MSI website, so there is no difference in appearance. These phishing sites include but are not limited to the following domain names:

  • msi-afterburner–download.site

  • msi-afterburner-download.site

  • msi-afterburner-download.tech

  • msi-afterburner-download.online

  • msi-afterburner-download.store

  • msi-afterburner-download.ru

  • msi-afterburner.download

  • mslafterburners.com

  • msi-afterburnerr.com

Number of Victims in Past Months

In some cases, the hackers used domains that did not resemble the MSI brand and were likely promoted through direct messages, forums, and social media posts. Examples include:

  • git[.]git[.]skblxin[.]matrixauto[.]net

  • git[.]git[.]git[.]skblxin[.]matrixauto[.]net

  • git[.]git[.]git[.]git[.]skblxin[.]matrixauto[.]net

  • git[.]git[.]git[.]git[.]git[.]skblxin[.]matrixauto[.]net

Once users connect to these phishing websites to download the MSI Afterburner installation file (MSIAfterburnerSetup.msi), RedLine information stealing malware and XMR mining programs will be quietly dropped and run during the installation process.

Fake MSI graphics card overclocking tool Afterburner floods websites, hijacks Microsoft Win10/Win11 devices for mining

Miner is installed via a 64-bit Python executable called “browser_assistant.exe” in the local Program Files directory, which injects a shellcode into the handler created by the installer.

Fake MSI graphics card overclocking tool Afterburner floods websites, hijacks Microsoft Win10/Win11 devices for mining

One of the parameters used by the XMR miner is “CPU max threads” set to 20, which is higher than most modern CPU threads, so it is set to capture all available power.

Fake MSI graphics card overclocking tool Afterburner floods websites, hijacks Microsoft Win10/Win11 devices for mining

So even if you see the familiar official website, you still have to pay attention to whether there is a problem with the URL, so as not to accidentally let your computer become someone else’s mining machine.

Facebook
Twitter
LinkedIn
Pinterest
Pocket
WhatsApp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.