Darktrace has uncovered a new cryptojacking campaign targeting Windows systems. This threat utilizes vulnerabilities for covert cryptocurrency mining.
Detection of Cryptojacking
The campaign was first identified in late July and represents a multi-stage infection chain that quietly hijacks a computer's processing power for cryptocurrency mining. Researchers Keanna Grelicha and Tara Gould detailed the findings in a report shared with crypto news outlets.
Method of Attack
According to the researchers, the campaign specifically targets Windows systems by exploiting PowerShell, Microsoft's built-in command-line interface and scripting language. Malicious scripts run directly on system memory, making them difficult for traditional antivirus tools, which usually scan files on hard drives, to detect.
Attackers then use AutoIt, a tool typically employed by IT professionals for task automation, to inject a malicious loader into a legitimate Windows process. This loader downloads and executes mining software without leaving obvious traces.
Additionally, the loader performs various environment checks, such as scanning for signs of sandbox environments and inspecting installed antivirus products. Execution proceeds only if Windows Defender is the sole active protection.
General Conclusions
Darktrace managed to contain the attack using its Autonomous Response system by preventing the device from making outbound connections and blocking specific connections to suspicious endpoints. Darktrace researchers noted that as cryptocurrency continues to gain popularity, cryptojacking will remain a lucrative avenue for cybercriminals.
Cryptojacking poses a significant threat to Windows system users. It is crucial to remain vigilant and keep devices updated for security.
