Cybercriminals Exploit AI Chatbots to Distribute Cryptojacking Malware
In a recent cybersecurity development, Microsoft has identified an active cryptojacking campaign that leverages artificial intelligence (AI) chatbot interactions to direct users to malicious download sites. This innovative delivery method extends social engineering tactics beyond traditional search engine results, enhancing the visibility and effectiveness of malicious software recommendations.
The attackers impersonate legitimate system utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. By targeting users who own high-performance GPUs, the campaign aims to compromise systems with higher mining potential, thereby maximizing the financial gains from illicit cryptocurrency mining.
Beyond financial motives, the threat actors establish persistent remote access to compromised hosts through deployments of ScreenConnect. This access can be exploited for subsequent activities, including data theft, lateral movement within networks, or even ransomware attacks.
Attack Chain Analysis:
The attack begins when users search for trusted system utilities and hardware-monitoring software. Malicious sites, optimized through search engine optimization (SEO) poisoning, appear in search results. More recent observations indicate that users are being directed to these sites via interactions with large language model (LLM)-based AI chatbots.
In these instances, users querying AI chatbots for software download recommendations receive links to attacker-controlled domains within the generated responses. This behavior aligns with emerging techniques in AI search result poisoning, representing an evolution of traditional SEO poisoning beyond conventional search engines.
Each malicious site features a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors. Over 150 malicious domains have been identified serving these harmful tools.
The downloaded ZIP file contains a legitimate executable alongside a rogue DLL (autorun.dll) that is sideloaded when the binary is launched by the user. This DLL installs a second malicious DLL named vcredist_x64.dll using msiexec.exe, which is a packaged installer for ScreenConnect software.
Once ScreenConnect is installed, the client continuously attempts to establish contact with an attacker-controlled server located at 193.42.11[.]108. The ScreenConnect session then serves as a conduit for an executable called SimpleRunPE.exe.
This binary is responsible for establishing persistence on the host using Registry Run keys and scheduled tasks, configuring Microsoft Defender exclusions, running anti-analysis checks, and employing process hollowing to launch the mining code under a trusted Microsoft-signed binary.
In certain compromises, instead of relying on ScreenConnect’s file transfer functionality to drop the binary, a PowerShell script is used to fetch the binary from a remote drive, store it locally as vlc.exe to evade detection, create a scheduled task to launch it, and then delete itself.
The hollowed binary communicates with the attacker’s server, transmits extensive host information, downloads the appropriate miner archive at runtime, and executes it. Three miner programs are supported by the malware: gminer, lolMiner, and SRBMiner-MULTI.
Additionally, the binary recreates the persistence artifacts to ensure continued presence and reconfigures Defender exclusions if they are removed. It also monitors running processes and immediately terminates the miner if any of the following processes are detected:
– taskmgr.exe (Windows Task Manager)
– processhacker.exe, processhacker2.exe (Process Hacker)
– procexp.exe, procexp64.exe (Process Explorer)
– systeminformer.exe (System Informer)
This combination of AI-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior.
Broader Implications:
This campaign underscores the evolving nature of cyber threats, where attackers exploit emerging technologies and user behaviors to distribute malware. The use of AI chatbots as a vector for malware distribution represents a significant shift in attack methodologies, emphasizing the need for heightened vigilance and adaptive security measures.
Users are advised to exercise caution when interacting with AI chatbots, especially when receiving software download recommendations. Verifying the authenticity of download sources and maintaining up-to-date security software are crucial steps in mitigating such threats.
Organizations should also consider implementing advanced threat detection mechanisms and educating employees about the risks associated with AI-driven interactions. By staying informed and proactive, both individuals and organizations can better defend against the sophisticated tactics employed by modern cybercriminals.
