Threat actors run an ongoing cryptojacking campaign targeting systems with high-performance computers. The infection path uses malicious download pages for common utility software, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Users searching for these utilities are shown attacker-controlled links boosted in search results through SEO poisoning. Some victims are also redirected after querying AI chatbots for download recommendations, with links embedded in generated responses. The payload is a ZIP archive hosted on a flagged domain, containing the legitimate utility executable plus a malicious DLL that loads automatically. The DLL uses msiexec.exe to install vcredist_x64.dll, which brings in ScreenConnect. After a ScreenConnect session is established, another binary is deployed to maintain access and enable further malware installation.
"Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Once a system is infected, the attacker gets persistent access on the machine by deploying the legitimate remote management ScreenConnect tool, which could later be used to install additional malware."
"Microsoft researchers discovered the campaign and determined that the attack begins when users look for one of the aforementioned utilities and are presented with malicious links boosted in search rankings through SEO poisoning. However, some reports in April indicated that users were directed to the malicious domains after interacting with AI-based assistants. "In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses," Microsoft says."
"The malicious download is a ZIP archive hosted on a subdomain at gleeze[.]com, a domain that has been flagged in the past for being associated with phishing websites. According to Microsoft, the archive includes the legitimate executable for the legitimate utility as well as a malicious DLL that is automatically loaded when launching the benign binary. The researchers found that the DLL uses msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool."
"After establishing a ScreenConnect session with the compromised client, the threat actor drops another binary named SimpleRunPE.exe that copies itself as RuntimeHost.exe into a folder hidden in Explorer. This enables continued remote control and supports follow-on activity on the infected machine. The chain links initial user redirection to persistent access through ScreenConnect and subsequent malware deployment."
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]