GPU-thirsty hackers target architects, designers with cryptomining malware

Cybercriminals are targeting French-speaking architects, engineers and graphic designers with malware that turns their computers into cryptocurrency mining machines, according to cybersecurity researchers.

The goal is to force the malware onto personal computers with powerful graphics processing units (GPUs), which are good at handling complex mathematical puzzles — including those involved with mining cryptocurrency, the cybersecurity firm Cisco Talos says in a report released Thursday.

The illicit cryptocurrency mining campaign has been ongoing since at least November 2021 and mostly targets French-speaking users in France and Switzerland, the researchers said. Victims are also located in the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, according to Cisco Talos.

To deliver malware to victims, hackers use a legitimate tool called Advanced Installer that helps developers create easy-to-install packages for Windows applications, Cisco Talos said. With the help of the tool, they package malicious scripts into other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro.

Anyone seeking to use those programs for 3D modeling and graphic design also potentially has a computer with a powerful GPU. The chips are primarily designed for tasks like rendering images, processing video and handling 3D graphics.

PhoenixMiner and lolMiner

The payload delivered to victims includes publicly available Ethereum cryptocurrency-mining malware PhoenixMiner, and lolMiner, a multi-coin mining tool. Another payload, the M3_Mini_Rat client, is a PowerShell script primarily used for system reconnaissance and the execution of other malicious files.

It's not clear how the infected software installers were first sent to the victims' computers. In previous similar attacks, hackers frequently used a method called search engine optimization (SEO) poisoning, researchers said. This technique allows attackers to manipulate search engine results, leading users to malicious websites or distributing malware.

Researchers haven’t yet identified the threat actor behind this campaign but, according to Cisco Talos’ analysis, the attackers’ servers are connected to the IP addresses in Luxembourg, Germany and France.

So far the campaign’s returns have been financially modest. In January 2023, the attackers managed to generate over 50 Ethereum Classic coins, equivalent to about $800 based on current values. Then, on July 9, 2023, they mined over 50 coins, Cisco Talos said.