AI chatbots used to push cryptojacking downloads, backdoors

Microsoft’s Defender Experts and Defender Security Research Team reported Tuesday that attackers used large language model chatbots to surface links to attacker-controlled download pages hosting fake system utilities.

The sites impersonated installers for CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack and PDFgear. The campaign targeted machines with high-performance GPUs to maximize mining yield per infected device.

More than 150 malicious domains tied to the campaign were identified. Each counterfeit page provided a download button that retrieved a ZIP archive from campaign-specific subdomains of gleeze[.]com, served via infrastructure linked to Dynu, a dynamic DNS provider.

When opened, the ZIP contained a legitimate executable and a rogue DLL named autorun.dll. The executable sideloaded autorun.dll when launched; that DLL invoked msiexec.exe to install a second DLL called vcredist_x64.dll, packaged as a ScreenConnect installer.

The ScreenConnect client on compromised hosts repeatedly attempted to contact an attacker-controlled server at 193.42.11[.]108. The remote session served as a channel for a loader called SimpleRunPE.exe.

SimpleRunPE established persistence by creating Registry Run keys and scheduled tasks, added Microsoft Defender exclusions, performed anti-analysis checks and used process hollowing to run mining code under a Microsoft-signed binary. In some incidents operators used a PowerShell script to download the miner, save it as vlc.exe, schedule it to run and then delete the script.

The malware supports three miners: gminer, lolMiner and SRBMiner-MULTI. The loader recreates persistence artifacts and Defender exclusions if they are removed.

The loader monitored for process-inspection tools and terminated the miner if it detected taskmgr.exe, processhacker.exe or processhacker2.exe, procexp.exe or procexp64.exe, or systeminformer.exe. Microsoft reported it detected and blocked activity associated with the campaign.

Microsoft warned that ScreenConnect backdoors create opportunities for further actions on compromised hosts, including data theft, lateral movement and ransomware. The company noted related incidents in which attackers abused internet-facing appliances and third-party service relationships to pivot into internal systems and attempt exploitation of unpatched software such as Atlassian Confluence.

Microsoft recommended that organizations validate vendor tools and integrations within their environments, limit over-privileged accounts and monitor for unauthorized remote-management installations.