Fake MSI Afterburner Infects Targets With Coin Miner, Password Stealer

MSI Afterburner
MSI Afterburner (Image credit: MSI)

If your system has been running sluggishly, you should check if you have the legit version of MSI Afterburner. Cyble Intelligence and Research Lab (CRIL) has recently uncovered a phishing campaign to infect gamers with cryptocurrency miners and information stealers through fake MSI Afterburner software. The firm has identified around 50 phony websites over the past three months.

MSI Afterburner is one of the more popular graphics card software for monitoring, tweaking, and overclocking the best graphics cards on the market. Therefore, it doesn't come as a shock that threat actors are impersonating MSI's software. It's not the first time that perpetrators are targeting MSI Afterburner, either. MSI detected a similar incident last year. However, it would seem that the threat actors back at it again now that Nvidia is rolling out its GeForce RTX 40-series graphics cards and AMD is on the brink of unleashing the Radeon RX 7900-series products. The criminals couldn't find a better time to set up shop.

The modus operandi consists of distributing the malware through phishing emails, online advertisements, forums, and other mediums. The phishing websites look precisely like MSI's official Afterburner download page. You can spot fraud by looking at the domain names. Cyble has identified some of the fake domains, such as msi-afterburner-download.site, msi-afterburner.download and mslafterburners.com. Some are already offline, but more are bound to show up.

The malware infects the victim's system with an XMR miner that stealthily connects to a mining pool to harvest Monero. Meanwhile, the program simultaneously steals the hijacked user's sensitive information like computer name, username, and other data.

If you just got a brand new graphics card or need to redownload MSI Afterburner, remember to get it from MSI's website and avoid third-party distributors. If you're using Google, look at the website's URL carefully before clicking.

Zhiye Liu
News Editor and Memory Reviewer

Zhiye Liu is a news editor and memory reviewer at Tom’s Hardware. Although he loves everything that’s hardware, he has a soft spot for CPUs, GPUs, and RAM.

  • Phaaze88
    Should be common sense to get yo from the official sites...
    The Windows key resellers, I get why some would go to them, but Afterburner is already free...
    Reply
  • JarredWaltonGPU
    Phaaze88 said:
    Should be common sense to get yo from the official sites...
    The Windows key resellers, I get why some would go to them, but Afterburner is already free...
    Not that they would infect you, but I often find Guru3D ranking first on my download pages for MSI Afterburner, with MSI's page being second. I was once trying to get my dad to install TeamViewer so I could remotely connect to his PC to try and help him, and I swear it took 30 minutes of excruciatingly painful talk on the phone to get him to do it the right way. I'm not sure what he did the first time, but he ended up at some malicious download location.

    Me: "Type 'www.teamviewer.com' into your browser address bar and press enter."
    Dad: "Okay."
    Me: "You should see a blue screen with a black 'Download for free' button in the middle-left."
    Dad: "I don't see anything like that."
    ...
    Me: "Um, what browser are you using?"
    Dad: "Windows."
    Me:
    What's really hard is that he used to be at least somewhat competent on computers. He was one of the first computer guys back in the 60s! Worked for IBM for a while, also did AS400 consulting for 20 or so years. These days, at 87, he's very much slowing down and getting into the senile stages of life.
    Reply
  • Phaaze88
    Might be due to me using duckduckgo...
    Reply
  • I have ALWAYS downloaded and installed MSI Afterburner from the official Guru3D downloads section link. Never tried any other software hosting website. Makes little sense why would someone install this software tool from unknown sources.
    Reply
  • umeng2002_2
    Go straight to the tap at guru3d.com
    Reply
  • Alvar "Miles" Udell
    I did a quick test between Google, Bing, and DuckDuckGo, and Google lists the official site, Guru3D, and TechSpot as the top three results, DDG lists the official site and then two very sketchy sites, and Bing lists the official site, a sketchy site, and Techspot as their top three.

    Just a reminder that while analytics may be something we dislike about companies, they do help protect against sketchy stuff.
    Reply
  • JarredWaltonGPU
    Alvar Miles Udell said:
    I did a quick test between Google, Bing, and DuckDuckGo, and Google lists the official site, Guru3D, and TechSpot as the top three results, DDG lists the official site and then two very sketchy sites, and Bing lists the official site, a sketchy site, and Techspot as their top three.

    Just a reminder that while analytics may be something we dislike about companies, they do help protect against sketchy stuff.
    It's the love/hate relationship people end up having with Google. They're a huge corporation with massive control over what we see online, but so far their search results are almost universally better than DuckDuckGo and Bing, etc. It's disgusting that both of those end up pointing at the fake msiafterburner.co site.
    Reply
  • Phaaze88
    When I search 'msi afterburner', I get this:
    Fb3JroH4th link fake.

    When I search 'msi afterburner download', I get this:
    O2cTrit3rd and 7th are sus.

    ¯\(ツ)/¯ What am I doing wrong?
    Reply
  • JarredWaltonGPU
    Phaaze88 said:
    When I search 'msi afterburner', I get this:
    Fb3JroH4th link fake.

    When I search 'msi afterburner download', I get this:
    O2cTrit3rd and 7th are sus.

    ¯\(ツ)/¯ What am I doing wrong?
    No, that's correct. What I'm saying is that a reputable search engine should actively detect and ban any malware results. Google actually does that, Bing and DuckDuckGo have malware results on the first page. Anywhere on the first page rates as a fail in my book.
    Reply