MSI Afterburnerista liikkeellä haittaohjelmilla kyllästetty versio

[Kaotik]

Suositusta ylikellotussovelluksesta jaetaan väärennettyä versiota, joka asentaa koneelle XMR-kryptolouhimen ja varastaa käyttäjän tietoja.
Väärennettyä versiota on jaettu ainakin 50 eri sivustolla, jotka näyttävät osoitettaan lukuunottamatta aidolta MSI Afterburnerin lataussivulta.
Myös verkkosivujen osoitteet on luotu johtamaan harhaan samankaltaisuudellaan. Esimerkkiosoitteita on Tom's Hardwarella listattuna msi-afterburner-download.site, msi-afterburner.download ja mslafterburners.com
Huijaussivut ovat ilmeisesti onnistuneet myös soluttautumaan Googlen hakutuloksiin.

Fake MSI Afterburner Infects Targets With Coin Miner, Password Stealer

Be careful where you download MSI's Afterburner software.

www.tomshardware.com

 

[PyleP]

"When the fake MSI Afterburner setup file (MSIAfterburnerSetup.msi) is executed, the legitimate Afterburner program will be installed. However, the installer will also quietly drop and run the RedLine information-stealing malware and an XMR miner in the compromised device.

The miner is installed through a 64-bit Python executable named 'browser_assistant.exe' in the local Program Files directory, which injects a shell into the process created by the installer.

This shellcode retrieves the XMR miner from a GitHub repository and injects it directly into memory in the explorer.exe process. Since the miner never touches the disk, the chances of being detected by security products are minimized.
The miner connects to its mining pool using a hardcoded username and password and then collects and exfiltrates basic system data to the threat actors.

One of the arguments the XMR miner uses is 'CPU max threads' set to 20, topping most modern CPU thread count, so it's set to capture all available power.

XMRminer argument details (Cyble)

The miner is set to mine only after 60 minutes since the CPU has entered idling, meaning that the infected computer is not running any resource-intensive tasks and is most likely left unattended.
Also, it uses the "-cinit-stealth-targets" argument, which is an option to pause mining activity and clear GPU memory when specific programs listed under "stealth targets" are launched.
These could be process monitors, antivirus tools, hardware resource viewers, and other tools that help the victim spot the malicious process.

In this case, the Windows applications from which the miner attempts to hide are Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe, and procexp64.exe.
While the miner is quietly hijacking your computer's resources to mine Monero, RedLine has already run in the background stealing your passwords, cookies, browser information, and, potentially, any cryptocurrency wallets.

Unfortunately, almost all of this fake MSI Afterburner campaign's components have poor antivirus software detection.
VirusTotal reports that the malicious 'MSIAfterburnerSetup.msi' setup file is only detected by three security products out of 56, while the 'browser_assistant.exe' is only detected by 2 out of 67 products"

Fake MSI Afterburner targets Windows gamers with miners, info-stealers

Windows gamers and power users are being targeted by fake MSI Afterburner download portals to infect users with cryptocurrency miners and the RedLine information-stealing malware.

www.bleepingcomputer.com

ikävä kaveri havaita koska piiloutuu, eikä aloita mainausta ennenkuin 60min idleä takana

valitettavasti en löytänyt googlamani tietoa, eli millä softalla eroon(mikäli tälläinen olisi koneellani)

 

[Zinovi3v]

Eli siis voiko tätä nyt jotenkin löytää itse vai ei?

 

[ontelo]

Eli siis voiko tätä nyt jotenkin löytää itse vai ei?

Jos katot artikkeleista olevia testejä niin Kaspersky ja ZoneAlarm näyttää tunnistavan molemmat.

 

[escalibur]

Tein yhteisölle palveluksen ja lähetin samplen Microsoftille analysoitavaksi. Lähituntien aikana Windows Defender tulee reagoimaan tähän, vaikka SmartScreen jo reagoi tiedoston luotettavuuteen.

 

[_j03_]

@Kaotik

En nyt keksinyt muutakaan mihin heittää, mutta ilmeisesti afterburnerin kehitys lopetettu. Tai ainakin yhteistyö sen alkuperäisen kehittäjän kanssa, joka asuu Venäjällä. Aika yllättävää jos oikeasti kuoppaavat tuon softan, kuitenkin varmaan suosituin tuohon käyttöön.

Lähde alla ja lainauksena tiivistetysti nuo kehittäjän kommentit.

7900XT Power usage not visible? | guru3D Forums

MSI afterburner project is probably dead.

War and politics are the reasons. I didn’t mention it in MSI Afterburner development news thread, but the project is semi abandoned by company during quite a long time already. Actually we’re approaching one year mark since the day when MSI stopped performing their obligations under Afterburner license agreement due to “politic situation”. I tried to continue performing my obligations and worked on the project on my own during the last 11 months, but it resulted in nothing but disappointment; I have a feeling that I’m just beating a dead horse and waste energy on something that is no longer needed by company. Anyway I’ll try to continue supporting it myself while I have some free time, but will probably need to drop it and switch to something else, allowing me to pay my bills.

Everything I said above is related to Afterburner project, but I said nothing about discontinuing RTSS development. It is separate and fully hobbyist application created many years before MSI Afterburner was even born. RTSS still gives me a lot of fun to develop it and design new functionality for it, the company is not related to development of recently added RTSS plugins like HotkeyHandler/OverlayEditor, which are also fully hobby inspired. So with or without MSI, RTSS will be alive and get future updates and support.
Talking about Afterburner part, I see no sense to try to make it profitable if company decided to freeze the licensing. So if it is dead - let it be so.