Microsoft researchers have uncovered an ongoing cryptojacking campaign that targets systems with high-performance computers, primarily those owned by gamers and power users. The attack spreads through SEO poisoning, where malicious download pages for popular utilities like CrystalDiskInfo and HWMonitor are promoted in search results. Additionally, some victims were redirected via AI chatbot recommendations. Once a user downloads and runs the malicious ZIP archive from a subdomain of gleeze.com, a legitimate executable is launched alongside a malicious DLL that installs ScreenConnect, a legitimate remote management tool, granting persistent access. The attacker then deploys SimpleRunPE.exe, a binary that establishes six persistence mechanisms across Windows autostart locations. The malware employs process hollowing into Microsoft-signed utilities like InstallUtil.exe to evade detection. It also adds exclusions to Microsoft Defender. After evasion, it downloads and executes one of three GPU miners: gminer, lolMiner, or SRBMiner-MULTI. The campaign is notable for its focus on maximizing GPU mining yield per compromised device, targeting high-end systems rather than volume. Microsoft recommends using the provided indicators of compromise for defense.

Key facts

• Malicious downloads for utilities like CrystalDiskInfo spread through SEO poisoning.
• ScreenConnect remote access tool deployed for persistent access.
• Six persistence mechanisms established across Windows autostart locations.
• Process hollowing into Microsoft-signed binaries used for evasion.
• GPU miners gminer, lolMiner, and SRBMiner-MULTI downloaded and executed.