Cryptojacking remains a formidable threat in digital security, as evidenced by a recent case where sophisticated malware exploited the Windows Character Map tool to mine Monero cryptocurrency. The incident was first uncovered by Darktrace’s autonomous detection system, which identified abnormal behavior when a desktop device made an unexpected HTTP connection, utilizing a PowerShell user agent.
Unveiling the Attack
The investigation revealed the attackers’ strategic use of obfuscated script chains to deploy NBMiner, a mining tool, with the intent to capitalize on cryptojacking without detection. The initial phase of the attack involved the download of a compromised PowerShell script from the URL 45.141.87.195:8000 which injected both legitimate and malicious binaries into the system.
Central to the malware campaign was the ingenious use of Windows’ Character Map application, charmap.exe. Attackers employed an AutoIt loader to inject mining code directly into charmap.exe, evading detection by Windows Defender, which was the primary antivirus defense in the setup. This AutoIt loader not only decrypted the hidden miner but also executed a sophisticated check for various system attributes, such as the presence of Task Manager, user privileges, and antivirus software.
In addition to utilizing charmap.exe for concealment, the malware effectively used UAC bypass techniques via Fodhelper, a Microsoft utility, to gain elevated privileges necessary for its operations. Subsequently, the mining process remained stealthy, obfuscating its window from users and ensuring continuity by re-downloading itself if terminated. It proceeded to initiate connections with mining pools like asia.ravenminer.com and monerooceans.stream to begin the mining process.
Detection and Prevention
Darktrace's analysis revealed several layers of sophistication, including heavy obfuscation techniques, the sideloading of legitimate binaries, persistence within the registry, and process injection methods. As the malware established DNS requests and connection attempts to Monero endpoints, it triggered high-fidelity alerts in Darktrace’s system. This prompted the deployment of Rapid Autonomous Response (RAR) technology, which effectively blocked over 130 external call attempts, thereby neutralizing the threat.
Through this case study, Darktrace underscored the critical role of
In light of these findings, businesses are urged to stay informed about evolving cryptojacking strategies and the continuous development of adaptive threat detection methodologies. The incident reminded the cybersecurity community of the need for vigilance and the importance of advanced security solutions in combating sophisticated digital threats.
