Darktrace flags new cryptojacking campaign able to bypass Windows Defender

Cybersecurity firm Darktrace has identified a new cryptojacking campaign designed to bypass Windows Defender and deploy a crypto mining software.

The cryptojacking campaign, first identified in late July, involves a multi-stage infection chain that quietly hijacks a computer’s processing power to mine cryptocurrency, Darktrace researchers Keanna Grelicha and Tara Gould explained in a report shared with crypto.news.

According to the researchers, the campaign specifically targets Windows-based systems by exploiting PowerShell, Microsoft’s built-in command-line shell and scripting language, through which bad actors are able to run malicious scripts and gain privileged access to the host system.

These malicious scripts are designed to run directly on system memory (RAM) and, as a result, traditional antivirus tools that typically rely on scanning files on a system’s hard drives are unable to detect the malicious process.

Subsequently, attackers use the AutoIt programming language, which is a Windows tool typically used by IT professionals to automate tasks, to inject a malicious loader into a legitimate Windows process, which then downloads and executes a cryptocurrency mining program without leaving obvious traces on the system.

As an added line of defense, the loader is programmed to perform a series of environment checks, such as scanning for signs of a sandbox environment and inspecting the host for installed antivirus products.

Execution only proceeds if Windows Defender is the sole active protection. Further, if the infected user account lacks administrative privileges, the program attempts a User Account Control bypass to gain elevated access.

When these conditions are met, the program downloads and executes the NBMiner, a well-known crypto mining tool that uses a computer’s graphics processing unit to mine cryptocurrencies such as Ravencoin (RVN) and Monero (XMR).

In this instance, Darktrace was able to contain the attack using its Autonomous Response system by “preventing  the device from making outbound connections and blocking specific connections to suspicious endpoints.”

“As cryptocurrency continues to grow in popularity, as seen with the ongoing high valuation of the global cryptocurrency market capitalization (almost USD 4 trillion at time of writing), threat actors will continue to view cryptomining as a profitable venture,” Darktrace researchers wrote.

Back in July, Darktrace flagged a separate campaign where bad actors were using complex social engineering tactics, such as impersonating real companies, to trick users into downloading altered software that deploys crypto-stealing malware.

Unlike the aforementioned cryptojacking scheme, this approach targeted both Windows and macOS systems and was executed by unaware victims themselves who believed they were interacting with company insiders.