Cryptojacking Operation Unveiled
A recent analysis by cybersecurity firm Darktrace has unveiled a sophisticated cryptojacking operation that cleverly avoids detection by Windows Defender while deploying software for cryptocurrency mining. This campaign, initially recognized in late July, operates through a multi-layered infection protocol aimed at commandeering the processing capabilities of computers in silence, as reported by Darktrace specialists Keanna Grelicha and Tara Gould.
Exploitation of PowerShell
Targeting systems running on Windows, the campaign exploits PowerShell—Microsoft’s command-line interface and scripting language—enabling cybercriminals to execute harmful scripts and secure unauthorized access to the device. These scripts are particularly dangerous as they are designed to operate in the system’s RAM, evading conventional antivirus software that typically scans hard drives for threats.
Use of AutoIt Programming Language
To facilitate the operation, attackers employ the AutoIt programming language, often used by IT professionals for task automation, to insert a harmful loader into a legitimate Windows process. This loader is capable of downloading and executing a cryptocurrency mining application without obvious indications of its presence on the system.
Loader Functionality and Mining Application
The loader is programmed with checks to ascertain the environmental context, ensuring that it runs its operations only if Windows Defender is the sole antivirus solution in place. Should the infected account lack administrative privileges, the loader attempts to bypass User Account Control to elevate its access rights. When the conditions are met, it downloads the NBMiner, a popular tool used for mining various cryptocurrencies, including Ravencoin (RVN) and Monero (XMR).
Darktrace’s Response
In a swift response to this intrusion, Darktrace utilized its Autonomous Response technology to contain the threat, successfully preventing the infected device from establishing outbound connections to suspicious locations.
Market Context and Previous Incidents
Amidst a cryptocurrency market that is nearing a market cap of nearly USD 4 trillion, the allure of cryptomining continues to attract malicious actors who view it as a lucrative endeavor, as per the insights from Darktrace’s team. Previously, in July, Darktrace highlighted another cryptojacking incident where attackers employed elaborate social engineering tactics, pretending to be representatives of legitimate companies, to trick users into downloading modified software that installed malware aimed at stealing cryptocurrencies. This tactic differed from the cryptojacking strategy by affecting both Windows and macOS platforms and relied on users unknowingly executing the malware themselves, believing they were engaging with trustworthy insiders.
