Unleashing Chaos: The Rise of GPU Mining Malware through SEO Poisoning and AI Chatbots

GPU Mining Malware Campaign Exploits AI Search Result Poisoning

Threat actors have launched a sophisticated cryptojacking campaign targeting high-performance computer systems. This campaign is orchestrated through a coordinated SEO poisoning operation and involves manipulation of AI chatbot recommendations.

The attack begins with the distribution of malicious download pages for utility software commonly used by owners of powerful systems. Software such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear have been compromised in this campaign.

Once a system is infected, the attacker gains persistent access by deploying the legitimate remote management ScreenConnect tool. This tool can then be used to install additional malware on the compromised machine.

Microsoft researchers uncovered this campaign and found that the attack is initiated when users search for the aforementioned utilities and are presented with malicious links that have been boosted in search rankings through SEO poisoning.

Interestingly, reports have also indicated that users may be directed to malicious domains after interacting with AI-based assistants.

According to Microsoft, users querying AI chatbots for software download recommendations have been led to attacker-controlled domains within the responses generated by the chatbots.

The malicious downloads are hosted on a ZIP archive located on a subdomain at gleeze[.]com, a domain previously associated with phishing websites.

Within the archive, there is a legitimate executable for the utility software alongside a malicious DLL that is loaded when the benign binary is launched.

The DLL utilizes msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool.

After establishing a ScreenConnect session with the compromised client, the threat actor drops another binary named SimpleRunPE.exe, which copies itself as RuntimeHost.exe into a hidden folder in Explorer.

This executable is designed to establish six persistence mechanisms across multiple Windows autostart locations.

In some instances, the binary is dropped via a malicious PowerShell script and saved locally as vlc.exe to mimic the popular VideoLAN multimedia player.

Based on the Program Database (PDB) path of SimpleRunPE.exe, researchers believe it is a fork of a public repository demonstrating the process hollowing technique.

The threat actor employs process hollowing into a legitimate .NET binary signed by Microsoft to evade detection. Additionally, the malware invokes PowerShell to add its path and process to the exclusion list in Microsoft Defender.

The malware also checks for virtual machines and specific process names associated with analysis tools. If any are detected, the malware terminates its execution.

Upon completing the process hollowing stage, the malware downloads and executes one of three mining modules: gminer, lolMiner, or SRBMiner-MULTI, all optimized for GPU mining.

Microsoft notes that this campaign is unique in its targeting and monetization strategy, focusing on maximizing GPU mining yield per compromised device rather than sheer volume.

Organizations can safeguard their environments by utilizing the indicators of compromise detailed in Microsoft’s report, in addition to the defenses provided by Microsoft’s security tools.