The discovery comes from security company Trend Micro, which says malware as a Windows Installer MSI file arrives on the victim’s computer, which is worth noting because Windows Installer is a legitimate application for installing software. Using real Windows components makes it look less suspicious and may allow it to bypass certain security filters.
The hacker’s tricks don’t stop there. The researchers pointed out that once installed, the malware directory contains various files that act as bait. In addition, the installer comes with a script that kills any anti-malware processes running on the victim’s computer, as well as the victim’s own cryptocurrency mining module.
The researchers also observed that malware has a built-in self-destruct mechanism that makes detection and analysis more difficult. It removes every file in its installation directory and removes any installation traces from the system. Although Trend Micro was unable to target the attack link to a specific country, it noticed that the installer used Cyrillic. In all fairness, Cyrillic seems to be very popular among cryptocurrency criminals.