An ongoing cryptojacking operation targets high-performance computers by manipulating search rankings and AI chatbot recommendations to promote malicious download pages for legitimate utilities like CrystalDiskInfo, HWMonitor, and PDFgear. Microsoft researchers discovered the campaign delivers ZIP archives containing the legitimate utility executable alongside a malicious DLL that installs the ScreenConnect remote management tool for persistent access. The attacker then drops SimpleRunPE.exe, which establishes six persistence mechanisms across multiple Windows autostart locations and uses process hollowing into Microsoft-signed .NET binaries to evade detection.
The malware checks for virtual machines and 40 analysis tool processes, terminating if detected, and adds its path to Microsoft Defender's exclusion list via PowerShell. After successful process hollowing, the malware downloads and executes one of three GPU mining modules: gminer, lolMiner, or SRBMiner-MULTI. Microsoft notes this campaign stands out for its monetization strategy engineered specifically to maximize GPU mining yield per compromised device rather than focusing on infection volume.
Some users were directed to malicious domains through AI chatbot responses when querying for software download recommendations. The threat actor uses the domain gleeze.com, previously flagged for phishing associations, to host the malicious archives. The PDB path of SimpleRunPE.exe indicates it is a fork of a public repository demonstrating process hollowing techniques. Organizations are advised to use the indicators of compromise provided in Microsoft's report for protection.
Read more...