A new and sophisticated cryptocurrency mining campaign has been identified, posing a threat to systems via external storage devices, with the capability to infiltrate even air-gapped environments. This malware uses advanced techniques to ensure persistence and expand its reach.
Infection Mechanics and Propagation
The malware initiates its attack through pirated software that pretends to be legitimate office productivity suite installers. Once activated, it deploys multiple components that work together to maintain its presence and maximize Monero cryptocurrency mining output. Its persistence is further supported by watchdog processes that ensure the malware can recover quickly if any component is terminated.
What sets this campaign apart is its ability to spread through external drives. When a user connects a USB flash drive or an external hard disk, the malware automatically transfers itself to the device, creating hidden folders with misleading shortcuts. This enables the malware to move across networks, even affecting air-gapped systems through physical media transfer.
Technical Sophistication and Kernel Exploitation
The malware employs kernel-level exploitation to enhance its performance. By using a Bring Your Own Vulnerable Driver technique, it deploys a legitimate but vulnerable driver, WinRing0x64.sys, which contains CVE-2020-14979. This allows the malware to gain kernel privileges, bypassing standard security measures.
With kernel access, the malware modifies CPU registers to optimize the RandomX mining algorithm, increasing the Monero mining efficiency by 15 to 50 percent. This is achieved without writing malicious drivers, utilizing the vulnerable driver’s valid digital signature instead.
Preventive Measures and Security Recommendations
The campaign operates with a planned lifecycle, utilizing temporal controls that activate cleanup routines after December 23, 2025, suggesting strategic planning by the attackers. To combat this threat, organizations are advised to enforce Microsoft’s Vulnerable Driver Blocklist and implement device control policies to restrict the use of removable media.
Additionally, security teams should configure web filtering to block connections to mining pools and raise awareness about the risks of pirated software. These steps are crucial in preventing the spread of this sophisticated malware.
Stay informed with the latest updates in cybersecurity by following us on Google News, LinkedIn, and X. Make CSN a preferred source on Google for instant news.
