Microsoft Threat Intelligence has found out about a sophisticated cryptojacking campaign that combines web exploitation and extremely sophisticated social engineering.
This campaign deliberately targets hardware enthusiasts and PC gamers to hijack their high-performance GPU resources in order to illegally mine cryptocurrencies.
Microsoft Defender Experts observed that threat actors are now poisoning AI chatbot results to trick unsuspecting users into downloading malware.
The AI and SEO attack chain
Cryptojacking campaigns tend to prioritize infection volume over precision.
However, this newly discovered campaign has been specifically designed to get as much yield per device as possible.
Attackers lure targets using Search Engine Optimization (SEO) poisoning as well as malicious links embedded in responses generated by Large Language Model (LLM) chatbots.
card
Users who want to download some legitimate software are directed to lookalike domains.
Malicious sites masquerade as popular hardware monitoring and system utilities.
Compromised download packages include CrystalDiskInfo, HWMonitor, FurMark, and so on.
Advanced evasion
After downloading the targeted software, they receive a ZIP archive with a malicious file.
The system quietly launches the malware via DLL sideloading.
From there, the malware deploys ScreenConnect, which is a legitimate commercial remote management tool. This makes it possible for nefarious actors to gain persistent access to the machine.
The threat actors execute a technique known as process hollowing.
A custom .NET payload called launches a trusted, Microsoft-signed Windows utility and injects its mining code directly into the trusted utility's memory space.
The loader then downloads GPU-focused mining clients of the likes of gminer.
The malware constantly monitors the host system to remain undetected:
It monitors active GPU usage and user idle time. The miner automatically terminates its activity so the victim doesn't notice a sudden drop in PC performance.
The software repeatedly manipulates Windows PowerShell to add exclusion paths to antivirus settings.
Microsoft confirmed that Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect and block threats tied to this campaign.
Dan Burgin
