Fake MSI graphics card overclocking tool Afterburner floods the site

News on November 24th, according to the latest report released by the security company Cyble, in the past 3 months, there have been at least 50 security incidents in which players visited the fake MSI Afterburner official website, their information was stolen, and their personal devices were used for mining. .

We learned that these phishing sites include but are not limited to the following domain names:

• msi-afterburner–download.site
• msi-afterburner-download.site
• msi-afterburner-download.tech
• msi-afterburner-download.online
• msi-afterburner-download.store
• msi-afterburner-download.ru
• msi-afterburner.download
• mslafterburners.com
• msi-afterburnerr.com

In some cases, the hackers used domains that did not resemble the MSI brand, likely promoting them through direct messages, forums, and social media posts. Examples include:

• git[.]git[.]skblxin[.]matrizauto[.]net
• git[.]git[.]git[.]skblxin[.]matrizauto[.]net
• git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net
• git[.]git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net

Once users visit these phishing websites to download the MSI Afterburner installation file (MSIAfterburnerSetup.msi), the RedLine information-stealing malware and XMR mining program will be quietly dropped and run during the installation process.

Miner is installed via a 64-bit Python executable called “browser_assistant.exe” in the local Program Files directory, which injects a shellcode into the process created by the installer. One of the parameters used by the XMR miner is “CPU Max Threads” set to 20, which is higher than most modern CPU thread counts, so it is set to capture all available power.

Legitimate MSI Afterburner can be downloaded directly from MSI at www.msi.com/Landing/afterburner/graphics-cards .