Darktrace’s autonomous detection system first identified suspicious activity when a desktop initiated an unusual HTTP connection using a PowerShell user agent. This early warning set the stage for a detailed investigation into the threat actor’s attempts to deploy NBMiner, a sophisticated cryptomining program, through a complex chain of obfuscated scripts.
The attack commenced with the download of a PowerShell script named “infect.ps1” from the endpoint 45.141.87[.]195:8000. This script was designed to drop both legitimate and malicious binaries into the user’s AppData directory, including a signed version of AutoIt.exe alongside various encoded payloads.
One of the most notable aspects of this attack was its exploitation of Windows’ built-in Character Map (charmap.exe). The attackers cleverly utilized an AutoIt loader to inject the miner code directly into the process space of charmap.exe, a trusted system utility. This tactic allowed them to evade detection by antivirus software, particularly when Windows Defender was the sole protection in place.
The loader executed a series of checks, assessing the presence of task manager, user privileges, and antivirus software, while also bypassing User Account Control prompts through a Fodhelper bypass for elevation.
Stopping a Stealthy Cryptojacking Campaign
Once activated, the cryptominer operated discreetly, concealing its process window and establishing connections to external mining pools, such as asia.ravenminer.com and monerooceans[.]stream, to generate illicit profits for the attacker. The malware was engineered for persistence, ensuring it could re-download itself if terminated and commence mining operations swiftly upon execution.
Darktrace’s platforms meticulously monitored the infected device’s behavior, noting DNS requests and high-frequency connections to known Monero mining endpoints. This vigilance triggered multiple high-fidelity alerts. The implementation of Rapid Autonomous Response proved crucial; Darktrace promptly blocked the device’s outbound communications, effectively preventing the malware from connecting to the mining pool and halting over 130 attempted calls to external endpoints.
Analysis of the malware revealed significant obfuscation, the use of legitimate binaries for side-loading, registry key manipulation for persistence, and process injection into trusted Windows applications. These tactics were specifically designed to challenge both analysts and static detection tools.
Expert Insights and Lessons Learned
This incident highlights the escalating threat posed by adaptive cryptojacking malware, often underestimated as a mere compliance issue, yet capable of draining productivity, inflating energy costs, and posing serious privacy risks. Darktrace’s AI-driven, anomaly-based detection successfully intercepted the attack at an early stage, mapping the entire kill chain and enabling rapid, automated mitigation.
As the profitability of cryptomining continues to rise, organizations must remain alert and equipped with advanced, AI-enabled defensive capabilities to identify and neutralize these covert, resource-draining attacks as early as possible.
List of Indicators of Compromise (IoCs)
- 45.141.87[.]195:8000/infect.ps1 – IP Address, Destination Port, Script – Malicious PowerShell script
- gulf.moneroocean[.]stream – Hostname – Monero Endpoint
- monerooceans[.]stream – Hostname – Monero Endpoint
- 152.53.121[.]6:10001 – IP Address, Destination Port – Monero Endpoint
- 152.53.121[.]6 – IP Address – Monero Endpoint
- https://api[.]chimera-hosting[.]zip/frfnhis/zdpaGgLMav/nbminer[.]exe – Hostname, Executable File – NBMiner
- Db3534826b4f4dfd9f4a0de78e225ebb – Hash – NBMiner loader
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
