Beware of fake MSI Afterburner that installs cryptojacking and information-stealing malware

midian182

Posts: 8,476   +104
Staff member
In brief: If you downloaded MSI Afterburner recently, it might be prudent to check your system for any malicious software. Researchers have found that a large number of websites have been impersonating MSI's official site to trick users into downloading malware alongside the overclocking tool.

Cyble Intelligence and Research Lab (CRIL) discovered several phishing campaigns that use MSI Afterburner to deliver XMR (Monero) cryptomining and information-stealing malware via 50+ fake replica websites.

MSI Afterburner is a free utility that lets you overclock, monitor, benchmark, and video capture. It works on all graphics cards, making it very popular for those looking to squeeze every drop out of their GPU. You can download it safely here.

But that popularity has seen cybercriminals turn to MSI Afterburner as a way of distributing malware. CRIL writes that the campaigns involve phishing emails, online ads, and various other means of spreading links to the fake websites. Some of the domain names include msi-afterburner-download.site, msi-afterburner.download, and mslafterburners.com.

Anyone who downloads and executes the fake MSI Afterburner setup file will find that the real version of the software is installed. However, the installer also adds the RedLine information-stealing malware and an XMR miner to the device.

As with other cryptojacking malware, the miner, which connects to a mining pool to mine Monero using a hardcoded username and password, takes up a huge amount of system resources, severely impacting performance. Bleeping Computer writes that the miner only activates 60 minutes after the CPU has entered idling, so the computer is not running any resource-intensive programs. It also means the device has probably been left unattended.

While this is happening, the RedLine Stealer is running in the background, pilfering passwords, cookies, browser information, and (potentially) cryptocurrency wallets.

Worst of all, the campaigns' malicious elements are only detected by a tiny number of antivirus programs, so discovering you've been infected might not be as easy as running a security tool.

This isn't the first time Afterburner has been used to deliver malicious programs. MSI last year warned people not to visit a duplicate of its official website created by hackers, which contained a malware-loaded piece of software disguised as the overclocking app.

Permalink to story.

 

Thatsdisgusting

Posts: 102   +151
First I thought to ask "why even bother OCing todays dynamic boosted GPUs anyway?"...
...but then I remember that you need to downvolt those fission reactors they sell nowadays.
 

waclark

Posts: 781   +487
Uh, any info on determining if you have the malware? I see that it might be difficult to determine, but no info on how to determine if you're infected.
 

kmo911

Posts: 352   +44
If computer goes like sirup you most likely infected. download malwarebytes free scan.or uninstall and get if from real www site. easy. the infection cant stay in pc forever. as antivirus geting updaten windows defender eset avg and so on.ifit running hot repaste it and run it offline to se if it would connect to servers but cant. install GLASS https://www.glasswire.com/ program.
 
Last edited:

Hodor

Posts: 418   +300
Excellent place to hide an XMR mining module. Users actually expect their GPU to melt when running MSI Afterburner, so nothing is suspicious.
 
Last edited:
I was burned by this. Let my guard down. The website looked identical to the legitimate one. It was one of the top returns in the Google search. MSI's official Afterburner landing page is incredibly easy to emulate also.

I only became aware after they created an Ads account on my Google account which they used to create MSI Afterburner related ads campaign to further promote the malware, which eventually produced an email to my account and tipped me off.

It's self sustaining in that way.

I ended up formatting the system to ensure it was clean, multiple other attempts to remove it weren't successful.

Google Ads didn't care, wasn't willing to refund... 'its our policy'... They're literally the ones promoting and profiting from it.

Credit card company reversed the charges. Hackers used the saved CC I had with Google for Google One/Play store for this exploit. Never trusting Google with my CC again.