A recently discovered strain of cryptomining malware has captured the attention of security teams worldwide by abusing the built-in Windows Character Map application as an execution host.
The threat actor initiates the attack through a PowerShell script that downloads and executes a heavily obfuscated AutoIt loader entirely in memory, avoiding disk writes and common detection methods.
Early indications suggest that this novel approach represents an evolution in cryptojacking tactics, with the malicious payload persistently injecting itself into legitimate Windows processes.
The infection begins when a compromised workstation reaches out to a rare external endpoint over HTTP, requesting a PowerShell script named infect.ps1.
DarkTrace researchers identified this anomaly by detecting a new PowerShell user agent fingerprint, triggering high-fidelity alerts tied to command-and-control activity.
.webp "New Malware Leverages Windows Character Map to Bypass Windows Defender and Mine Cryptocurrency for The Attackers 3")
Upon retrieval, the script decodes multiple Base64 and XOR-encoded blobs, reconstructs an AutoIt binary in the user’s AppData folder, and establishes persistence via a startup shortcut.
At each stage, the actor has embedded evasion measures, including registry checks and UAC bypass attempts, to ensure uninterrupted mining operations.
.webp "New Malware Leverages Windows Character Map to Bypass Windows Defender and Mine Cryptocurrency for The Attackers 4")
Once the AutoIt binary is launched, it performs process injection through charmap.exe (Windows Character Map). DarkTrace analysts noted that the loader requests a handle to charmap.exe, allocates executable memory, and writes the decrypted NBMiner payload into that space.
By executing the miner inside a trusted Microsoft process, the malware sidesteps signature-based defenses in Windows Defender, allowing it to connect to remote mining pools undetected.
Targeted organizations have reported spikes in CPU usage and unexplained energy costs, underscoring the financial impact of these stealthy operations.
The final phase of the attack involves spawning the NBMiner process with arguments optimized for the KawPoW algorithm:-
NBMiner.exe -a kawpow -o asia.ravenminer.com:3838
-u R9KVhfjiqSuSVcpYw5G8VDayPkjSipbiMb.worker -i 60The actor hides the process window and implements anti-sandbox delays, only proceeding when Windows Defender is the sole antivirus present.
A lookup of DNS requests reveals repeated queries for monerooceans.stream and subsequent TCP connections to 152.53.121.6:10001, confirming active mining traffic.
Infection Mechanism
Digging deeper into the infection mechanism reveals a two-stage loader architecture. The initial PowerShell droplet embeds three encoded data segments: the AutoIt executable, a persistence script, and the injection stub.
After writing these files to %LOCALAPPDATA%, the script launches AutoIt to read and decode the second blob using XOR key 47.
The loader then bypasses UAC via Fodhelper, grants itself administrative privileges, and invokes charmap.exe for in-memory payload injection.
This chain of staging and obfuscation allows the malware to maintain a minimal footprint on disk while executing complex evasion routines.
By chaining these techniques, the adversary demonstrates a sophisticated understanding of Windows internals and Defender loopholes, raising the bar for detection and response.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
