Microsoft has issued a warning about a new cryptojacking campaign utilizing AI chatbots to direct users to harmful download sites. The tactic is elevating social engineering by bypassing typical search results, thereby increasing the exposure of malicious software suggestions, according to Microsoft’s report.
Impersonation of Legitimate Utilities
The campaign is reported to mimic authentic system utilities such as CrystalDiskInfo and HWMonitor, targeting users with high-performance GPUs. The aim is to compromise systems with greater mining potential rather than casting a wide net to infect numerous devices. Besides financial motives, the attackers are establishing remote access to affected hosts through ScreenConnect deployments, potentially for data theft or ransomware attacks.
Strategic Attack Methods
The attack is notably calculated, focusing on endpoints that enhance mining yields per infected device. Microsoft has detected and blocked activities linked to this campaign. Initially, users searching for trusted utilities encountered malicious sites manipulated through SEO poisoning. Recent observations indicate a shift, with users being directed via AI chatbot interactions.
Persistent Threat Tactics
Users seeking software download recommendations from AI chatbots received links to domains controlled by attackers. These sites feature download buttons that retrieve a ZIP archive from a malicious subdomain. Over 150 harmful domains have been identified, distributing these tools. The downloaded ZIP contains a legitimate executable and a rogue DLL designed to install a secondary malicious DLL via “msiexec.exe,” leading to ScreenConnect software installation.
Once installed, ScreenConnect attempts to connect with an attacker-controlled server, facilitating the execution of “SimpleRunPE.exe.” This binary establishes persistence through Registry Run keys, configures Defender exclusions, and employs anti-analysis techniques. In some cases, a PowerShell script retrieves the binary, masked as “vlc.exe,” to avoid detection.
Conclusion and Future Outlook
This blend of AI-driven delivery, software impersonation, and persistent access underscores evolving social engineering strategies. Recent exploits highlight the ongoing risk posed by internet-facing appliances and over-privileged identities. Microsoft emphasizes the need for vigilant verification of third-party services and management tools to thwart such stealthy persistence mechanisms. Organizations, particularly in sensitive sectors, should brace for continued refinement of third-party abuse and credential theft by threat actors.
