A lately found pressure of cryptomining malware has captured the eye of safety groups worldwide by abusing the built-in Home windows Character Map software as an execution host.
The menace actor initiates the assault by way of a PowerShell script that downloads and executes a closely obfuscated AutoIt loader fully in reminiscence, avoiding disk writes and customary detection strategies.
Early indications recommend that this novel method represents an evolution in cryptojacking ways, with the malicious payload persistently injecting itself into legit Home windows processes.
The an infection begins when a compromised workstation reaches out to a uncommon exterior endpoint over HTTP, requesting a PowerShell script named infect.ps1.
DarkTrace researchers recognized this anomaly by detecting a brand new PowerShell consumer agent fingerprint, triggering high-fidelity alerts tied to command-and-control exercise.
Screenshot of the ‘infect.ps1’ PowerShell script noticed within the assault (Supply – DarkTrace)
Upon retrieval, the script decodes a number of Base64 and XOR-encoded blobs, reconstructs an AutoIt binary within the consumer’s AppData folder, and establishes persistence by way of a startup shortcut.
At every stage, the actor has embedded evasion measures, together with registry checks and UAC bypass makes an attempt, to make sure uninterrupted mining operations.
Screenshot of second stage AutoIt script (Supply – DarkTrace)
As soon as the AutoIt binary is launched, it performs course of injection by way of charmap.exe (Home windows Character Map). DarkTrace analysts famous that the loader requests a deal with to charmap.exe, allocates executable reminiscence, and writes the decrypted NBMiner payload into that area.
By executing the miner inside a trusted Microsoft course of, the malware sidesteps signature-based defenses in Home windows Defender, permitting it to hook up with distant mining swimming pools undetected.
Focused organizations have reported spikes in CPU utilization and unexplained power prices, underscoring the monetary affect of those stealthy operations.
The ultimate section of the assault entails spawning the NBMiner course of with arguments optimized for the KawPoW algorithm:-
NBMiner.exe -a kawpow -o asia.ravenminer.com:3838
-u R9KVhfjiqSuSVcpYw5G8VDayPkjSipbiMb.employee -i 60
The actor hides the method window and implements anti-sandbox delays, solely continuing when Home windows Defender is the only antivirus current.
A lookup of DNS requests reveals repeated queries for monerooceans.stream and subsequent TCP connections to 152.53.121.6:10001, confirming energetic mining visitors.
An infection Mechanism
Digging deeper into the an infection mechanism reveals a two-stage loader structure. The preliminary PowerShell droplet embeds three encoded information segments: the AutoIt executable, a persistence script, and the injection stub.
After writing these information to %LOCALAPPDATA%, the script launches AutoIt to learn and decode the second blob utilizing XOR key 47.
The loader then bypasses UAC by way of Fodhelper, grants itself administrative privileges, and invokes charmap.exe for in-memory payload injection.
This chain of staging and obfuscation permits the malware to take care of a minimal footprint on disk whereas executing complicated evasion routines.
By chaining these strategies, the adversary demonstrates a classy understanding of Home windows internals and Defender loopholes, elevating the bar for detection and response.
Increase your SOC and assist your staff defend your small business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
