What is Nvidia RTX-LHR v2 Unlocker and How Does it Work?

Spreading malware through community phishing

On February 22, the crypto mining community received a massive fake news alert that claimed to successfully unlock the Nvidia LHR mining prevention feature. This was later reported as malware and is what we refer to as community phishing. The hackers infiltrated the online community forums and other media channels and spread malware under false promises aligned with the community’s needs.

This type of malware is an assembly of “maltools” that can be found easily and need minimal knowledge to operate. Such a campaign shows us how easy it is for anyone to create malware that evades security products and achieves the hacker’s goals.

PureCrypter and PurgeStealer are some of the maltools the hackers used to compile an info stealer malware, with evasion capabilities using C#, and a wide verity of info gathering exfiltrated through gofile.io and Discord.

Introduction to the attack

Cryptocurrency became popular in the past decade and formed a new way to execute money transactions. Since cryptocurrency is decentralized by design, it requires network validation for a transaction. A confirmation usually requires a high computing resource to execute the algorithm for such validation.

In 2020 Nvidia released the GeForce 30 series, including the RTX feature that it is most related to. In the beginning, it used Gamers and Miners as one. Later on, Nvidia announced the 30XX series Lite Hash Rate (LHR) in May 2021 to distinguish between a product that supports mining to one that supports gaming only. The reason is likely business-related, while Nvidia declares they are getting the GeForce products to the hands of gamers, miners should use the CMP series.

On February 23, hackers released an info stealer malware under the disguise of the Nvidia LHR v2 Unlocker tool. Naturally, the community of Ethereum miners who desired such a tool was the target, but they didn’t fall for it by giving them credit. The previous day, many news sites did publish an article that helped the hackers spread their malware, and shortly afterward, they published an update confirming it was malware.

The malware targeted miners’ wallets and any other tools found on an Etherium miner machine. However, other data was also gathered, such as browser data (passwords, history, and cookies).

Timeline

The attack was concise, and stopped a few hours later with no apparent reason. It could have been a bug, or the attacker was afraid to get caught, and it could be the reason the phishing target was aware of the threat and thwarted it.

I’ve noted the use of the PurgeStealer because of the close time between release and when the attacker starts the campaign using it. Another coincidence related to the Nvidia LHR was that the Lapsus$ group hacked Nvidia and stole their IP. Using this IP and other private data, they could hack the LHR and try to sell it for $1 million.

Attack vector

1. T1566 – It starts with community phishing, as we call it, since the attacker creates a false presentation of a desired or curious item and asks the users to execute it.
2. T1059.001 – The installer runs an elevated powershell from the installer.
3. T1620 – The first dropper executable uses reflective code loading to execute in memory attack and avoid writing the disk and therefore evade certain security products.
4. T1218.009 – The second dropper is heavily obfuscated and implements anti-debug, anti-reverse, and evasion techniques. In the end, it uses RegAsm.exe as a proxy to execute the info stealer malware.
5. T1567.002 – The malware exploits the Gofile.io web storage service to exfiltrate the stolen data without reducing the chances of getting caught by network monitoring security products.
6. The attacker’s primary goal is assumed to be crypto wallets, and the very targeted users can yield it.

Conclusions

I decided to call this attack “Community Phishing” since it uses the phishing technique of making users execute programs or files on their machine under the impression of a legitimate file, and using the community channels as a medium. The attacker understands the potential victims’ needs and exploits them to deliver malware. And by targeting a community, several assumptions are very likely to increase the impact of the attack: the victims are owners of Nvidia RTX graphic cards, and they are interested in Ethereum mining.

There is more than one way to gain from infecting such specific machines. For example, the malware could be a miner, and it would gain from running on powerful devices. Another could be more hardware-related attacks that may exploit vulnerabilities in the Nvidia drivers and take control of the system in a more persistent and stealthy manner.

Never mind the attack’s goal, the concern with this particular attack was the ease at which it occurred – anyone can create malware using maltools. Maltools can be found everywhere, they are pretty reliable and straightforward, and thanks to cryptocurrency, criminals can buy it anonymously.

Phishing is the most common technique for malware delivery, and we can see there are more ways than traditional email phishing to execute it. At Datto, we specialize in initial vector detection and prevention, including phishing attacks. We want to remind you never to trust anything delivered to you without asking for it. Always double-check the source, and stay virtually safe.