Microsoft Threat Intelligence has found out about a sophisticated cryptojacking campaign that combines web exploitation and extremely sophisticated social engineering.
This campaign deliberately targets hardware enthusiasts and PC gamers to hijack their high-performance GPU resources in order to illegally mine cryptocurrencies.
Microsoft Defender Experts observed that threat actors are now poisoning AI chatbot results to trick unsuspecting users into downloading malware.
HOT Stories XRP Hits $1.4B in ETF Cash Shiba Inu (SHIB) Sellers Exhausted, Dogecoin (DOGE) Zero Addition Question of Time, XRP Recovery Starts: Crypto Market Review
The AI and SEO attack chain
Cryptojacking campaigns tend to prioritize infection volume over precision.
However, this newly discovered campaign has been specifically designed to get as much yield per device as possible.
Attackers lure targets using Search Engine Optimization (SEO) poisoning as well as malicious links embedded in responses generated by Large Language Model (LLM) chatbots.
card
Users who want to download some legitimate software are directed to lookalike domains.
Malicious sites masquerade as popular hardware monitoring and system utilities.
Compromised download packages include CrystalDiskInfo, HWMonitor, FurMark, and so on.
Advanced evasion
After downloading the targeted software, they receive a ZIP archive with a malicious file.
The system quietly launches the malware via DLL sideloading.
From there, the malware deploys ScreenConnect, which is a legitimate commercial remote management tool. This makes it possible for nefarious actors to gain persistent access to the machine.
The threat actors execute a technique known as process hollowing.
A custom .NET payload called launches a trusted, Microsoft-signed Windows utility and injects its mining code directly into the trusted utility's memory space.
The loader then downloads GPU-focused mining clients of the likes of gminer.
The malware constantly monitors the host system to remain undetected:
It monitors active GPU usage and user idle time. The miner automatically terminates its activity so the victim doesn't notice a sudden drop in PC performance.
The software repeatedly manipulates Windows PowerShell to add exclusion paths to antivirus settings.
Microsoft confirmed that Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect and block threats tied to this campaign.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
