Summary
Key Points:
- A new cryptojacking campaign utilizes search engine poisoning and AI chatbot interactions to deliver malicious software masquerading as legitimate system utilities, targeting users with high-performance GPUs.
- The campaign establishes persistent remote access through abused ScreenConnect deployments, potentially enabling data theft and lateral movement, while focusing on maximizing GPU mining yield from compromised devices.
- Organizations are advised to enable cloud-delivered protection, run EDR in block mode, and implement attack surface reduction rules to mitigate risks.
Technical Details: The campaign employs DLL sideloading to install malicious components alongside legitimate software. Key techniques include the use of ScreenConnect for remote access and process hollowing into Microsoft-signed binaries for executing mining operations.
MITRE ATT&CK Techniques:
- T1566 - Phishing (Initial Access)
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1203 - Exploit Public-Facing Application (Initial Access)
- T1055 - Process Injection (Execution)
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
IOCs Mentioned:
- Domains: direct-download.gleeze.com, start-download.gleeze.com, direct-downloads.giize.com, free-download.giize.com
- IP Address: 193.42.11[.]108
- SHA256 Hashes: 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c, 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5
This summary provides actionable insights for security analysts to enhance their defenses against this evolving threat landscape.
Join the discussion — sign up to comment, upvote, and save articles.