GPU mining malware spreads via SEO poisoning, AI chatbots

Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.

​The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.

Once a system is infected, the attacker gets persistent access on the machine by deploying the legitimate remote management ScreenConnect tool, which could later be used to install additional malware.

Microsoft researchers discovered the campaign and determined that the attack begins when users look for one of the aforementioned utilities and are presented with malicious links boosted in search rankings through SEO poisoning.

However, some reports in April indicated that users were directed to the malicious domains after interacting with AI-based assistants.

“In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses,” Microsoft says.

The malicious download is a ZIP archive hosted on a subdomain at gleeze[.]com, a domain that has been flagged in the past for being associated with phishing websites.

According to Microsoft, the archive includes the legitimate executable for the legitimate utility as well as a malicious DLL that is automatically loaded when launching the benign binary.

The researchers found that the DLL uses msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool.

After establishing a ScreenConnect session with the compromised client, the threat actor drops another binary named SimpleRunPE.exe that copies itself as RuntimeHost.exe into a folder hidden in Explorer.

The purpose of the executable is to establish “six persistence mechanisms across multiple Windows autostart locations.”

In some cases, the binary is dropped via a malicious PowerShell script and is saved locally as vlc.exe, in an attempt to impersonate the executable for the popular VideoLAN multimedia player.

Based on SimpleRunPE.exe’s Program Database (PDB) path, the researchers believe that it is a fork of a public repository for demonstrating the process hollowing technique.

The threat actor resorted to this technique for stealth and tried process hollowing into a legitimate .NET binary signed by Microsoft: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe.

To the same purpose, the malicious binary also invokes PowerShell to add its path and process to the exclusion list in Microsoft Defender.

Additionally, the malware checks the environment for virtual machines and a set of 40 process names corresponding to analysis tools. If any are identified, the malware terminates its execution.

After completing the process hollowing stage and the malware runs inside a Microsoft-signed Windows utility, one of three mining modules is downloaded and executed.

The supported mining programs are gminer, lolMiner, and SRBMiner-MULTI, all of them designed to use graphics processing units (GPUs).

Microsoft says that this cryptocurrency campaign stands out for its “targeting and monetization strategy engineered from the ground up to maximize GPU mining yield per compromised device,” instead of focusing on volume.

Apart from the defenses provided by Microsoft’s tools, organizations can protect their environments using the indicators of compromise included in the report.