AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Key Points:

• Microsoft has identified an active cryptojacking campaign that utilizes AI chatbots to direct users to malicious download sites, impersonating legitimate software.
• The campaign targets high-performance GPU users, establishing persistent remote access through ScreenConnect, which can lead to data theft and lateral movement.
• Organizations should implement strict verification processes for software recommendations and monitor for suspicious activity related to unauthorized installations.

Technical Details: The campaign leverages social engineering techniques, including SEO poisoning and AI-assisted delivery methods, to distribute malicious software. The malware installs a rogue DLL that facilitates the installation of ScreenConnect, enabling attackers to maintain persistent access.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
• T1053.005 - Scheduled Task/Job: Scheduled Task (Persistence)
• T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)

IOCs Mentioned:

• Domains: gleeze[.]com
• IP Address: 193.42.11[.]108