Threat actors are targeting high-performance computer systems in an ongoing hacking campaign that is being spread through SEO malware that also leverages AI chatbot recommendations.
Malfunctions occur through malicious download pages for utility software often installed by powerful software owners, such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
Once the system is infected, the attacker gains continuous access to the machine by using the official ScreenConnect remote control tool, which can later be used to install additional malware.
Microsoft researchers discovered this campaign and determined that the attack begins when users search for one of the services mentioned above and are presented with malicious links that are promoted in search positions by using SEO poison.
However, some reports in April indicated that users were directed to malicious sites after interacting with AI-based assistants.
“In these cases, users who asked AI chatbots for software download recommendations were provided with links to attacker-controlled domains within the generated responses,” Microsoft said.
source: Microsoft
The malicious download is a ZIP archive hosted on the gleeze subdomain[.]com, a domain previously flagged for association with phishing websites.
According to Microsoft, the archive includes a legitimate utility executable and a malicious DLL that is automatically loaded when a malicious binary is launched.
The researchers discovered that the DLL uses msiexec.exe to install vcredist_x64.dll, which is the installer package for the ScreenConnect remote access tool.
After establishing a ScreenConnect session with the vulnerable client, the threat actor downloads another binary called SimpleRunPE.exe that copies itself as RuntimeHost.exe to a hidden folder in Explorer.
The purpose of the utility is to establish “six persistence methods across multiple Windows autostart environments.”
source: Microsoft
In some cases, the binary is dropped via a malicious PowerShell script and saved locally as vlc.exe, in an attempt to make itself executable for the popular VideoLAN multimedia player.
Based on the path of SimpleRunPE.exe’s Program Database (PDB), the researchers believe it is a fork of the public repository to show the pitfall process.
A threat actor used this process to infiltrate and attempt to log into official .NET binaries signed by Microsoft: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe.
For the same purpose, the malicious binary also asks PowerShell to add its method and process to the exclusion list in Microsoft Defender.
Additionally, the malware scans the environment with virtual machines and a set of 40 process names that are compatible with analysis tools. If something is detected, the malware stops its operation.
After completing the wrapping process and the malware is running within a Windows tool signed by Microsoft, one of the three mining modules is downloaded and executed.
Supported mining programs are gminer, lolMiner, and SRBMiner-MULTI, all of which are designed to use graphics processing units (GPUs).
Microsoft says this cryptocurrency campaign stands out for its “targeting and monetization strategy built from the ground up to maximize GPU mining yield per machine at risk,” instead of focusing on volume.
In addition to the protection provided by Microsoft tools, organizations can protect their environments using the mitigation indicators included in the report.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls are blocking threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
