| |

New Malware Exploits Windows Character Map to Evade Windows Defender and Mine Cryptocurrency for Attackers

ByAdmin

A recently discovered strain of cryptomining malware has garnered significant attention from security teams globally by exploiting the built-in Windows Character Map application as an execution host. The threat actor initiates the attack using a PowerShell script that downloads and executes a heavily obfuscated AutoIt loader entirely in memory, thereby avoiding disk writes and common detection methods. Early indications suggest that this innovative approach marks an evolution in cryptojacking tactics, with the malicious payload persistently injecting itself into legitimate Windows processes. The infection process commences when a compromised workstation connects to a rare external endpoint over HTTP, requesting a PowerShell script named Infect.ps1. DarkTrace researchers identified this anomaly by detecting a new PowerShell user agent fingerprint, which triggered high-fidelity alerts linked to command-and-control activity.

Upon retrieval, the script decodes multiple Base64 and XOR-encoded blobs, reconstructing an AutoIt binary in the user’s AppData folder while establishing persistence through a startup shortcut. At each stage, the actor embeds evasion measures, including registry checks and User Account Control (UAC) bypass attempts, to ensure uninterrupted mining operations. Once the AutoIt binary is launched, it performs process injection through Charmap.exe (Windows Character Map). DarkTrace analysts noted that the loader requests a handle to Charmap.exe, allocates executable memory, and writes the decrypted NBMiner payload into that space. By executing the miner within a trusted Microsoft process, the malware evades signature-based defences in Windows Defender, allowing it to connect to remote mining pools undetected. Targeted organisations have reported spikes in CPU usage and unexplained energy costs, highlighting the financial impact of these stealthy operations. The final phase of the attack involves spawning the NBMiner process with arguments optimised for the KawPoW algorithm. A lookup of DNS requests reveals repeated queries for Monerooceans.stream and subsequent TCP connections to 152.53.121.6:10001, confirming active mining traffic.

Digging deeper into the infection mechanism reveals a two-stage loader architecture. The initial PowerShell droplet embeds three encoded data segments: the AutoIt executable, a persistence script, and the injection stub. After writing these files to %LOCALAPPDATA%, the script launches AutoIt to read and decode the second blob using XOR key 47. The loader then bypasses UAC via Fodh, ensuring that the mining operations remain undetected and persistent. This sophisticated method of leveraging legitimate Windows processes for malicious purposes underscores the evolving landscape of cyber threats and the need for enhanced security measures. 

Categories: Malware Tactics, Cryptojacking, Evasion Techniques 

Tags: Cryptomining, Malware, PowerShell, AutoIt, Evasion, Persistence, Process Injection, Windows Defender, Cryptojacking, NBMiner 

Similar Posts

Sure! Here’s a rephrased version of your “Salesforce Releases Forensic Investigation Guide Following Chain of Attacks” optimized for SEO: — **Comprehensive Guide to Forensic Investigations of Salesforce Releases: Analyzing Attack Sequences** Unlock the secrets of effective forensic investigations with our in-depth guide focused on Salesforce releases. This resource provides a detailed analysis of attack sequences, helping you understand the intricacies of security breaches and how to respond effectively. **Key Features:** – **Understanding Salesforce Security

Leave a Reply

Your email address will not be published. Required fields are marked *