We've come across a dangerous variant of the MSI Afterburner installer, which is a 62.4 MB Windows MSI package. Although it appears to be a legitimate setup file, running it will infect your system with a crypto miner and an info stealer.
The Malware Underneath
On the surface, the installation seems normal, but it conceals a crypto miner and an info stealer. These threats can steal passwords and credentials, potentially compromising accounts such as YouTube.
What Process Explorer Reveals
Using Process Explorer, most processes seem fine. However, at the bottom of the list, install.exe is flagged as malicious by six detections. Suspiciously, cmd.exe and conhost.exe—typically system processes—are running with commands pointing to install.bat. These are part of the info stealer component.
The Crypto Miner
The malware also drops an XMRig crypto miner inside explorer.exe. Previously, this miner connected to xmr.to miners.com and used maximum CPU threads after 60 minutes of idling to avoid detection during active use. Interestingly, this behavior seems to have ceased, possibly due to changes in the cryptocurrency market.
Analysis by Bleeping Computer
Thanks to Bleeping Computer, we see the explorer.exe process with injected code pointing to the mining site. This miner is configured to use up to 20 CPU threads, only activating after an hour of inactivity.
VirusTotal and In-Depth Analysis
On VirusTotal, the setup file is detected by only 20 engines, likely because it's a sizable 62 MB MSI package, not a typical small malware executable. In contrast, Intezer analysis identifies the setup as malicious. When extracting the original setup file, it reveals the legitimate MSI Afterburner setup and a malicious payload named browser_assistant.exe, identified as a clip banker (an info stealer).
Detection Challenges
The info stealer, coded in Python and packed by PyInstaller, evades many detection mechanisms. Static analysis shows minimal matches, making it hard to detect. Dynamic analysis also fails to reveal the malware's collection or exfiltration activities, suggesting the embedding method effectively evades detection.
Increasing Detection Over Time
Initially, the payload had limited detection, but as it spreads, more engines are identifying it. However, major names like Bitdefender and Emsisoft still miss it, highlighting the evolving nature of malware and the need for robust behavioral protection.
Conclusion
This incident underscores the necessity for behavioral protection on host systems, as traditional sandbox-based detection often falls short. Stay informed and secure by sharing this information about the malicious MSI Afterburner installer. A special thanks to Intezer for sponsoring this analysis and providing their platform for this investigation.
For more insights and to conduct your investigations, visit analyze.intezer.com and sign up for a community account. Their support team is excellent for any queries.
No comments