Full Report
Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts. "Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim
Analysis Summary
# Tool/Technique: Bespoke XMRig Cryptojacking Campaign
## Overview
A sophisticated, multi-stage cryptojacking campaign characterized by its worm-like propagation capabilities and the use of a Bring Your Own Vulnerable Driver (BYOVD) exploit to maximize Monero (XMR) mining hashrate. The campaign uses pirated software bundles as a lure.
## Technical Details
- Type: Malware (Cryptojacker/Worm component)
- Platform: Windows (Implied by mention of Windows Telemetry service and standard driver exploitation)
- Capabilities: Multi-stage modular infection, self-propagation via removable media, privilege escalation via BYOVD, XMR mining, evasion via logic bomb/self-destruct mechanism.
- First Seen: Evidence suggests activity spiked around December 8, 2025, with the report published in February 2026.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1192 - Spearphishing Link (via pirated software lures)
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Implied by persistence modules)
- TA0004 - Privilege Escalation
- T1210 - Exploitation of Remote Services (Via worm propagation component)
- T1068 - Exploitation for Privilege Escalation (Specifically via CVE-2020-14979)
- TA0005 - Defense Evasion
- T1490 - Inhibit System Recovery
- TA0007 - Discovery
- T1082 - System Information Discovery (Implied by environment validation)
- TA0010 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (If C2 interactions are standard HTTP/S)
- TA0011 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Expected for persistence modules)
- TA0018 - Impact
- T1496 - Resource Hijacking (Primary goal: CPU/Cryptocurrency Mining)
## Functionality
### Core Capabilities
* **Initial Access:** Deploys via malware-laced executables bundled with pirated software (social engineering decoys).
* **Modular Dropper:** A primary binary acts as an installer, watchdog, payload manager, and cleaner, managing infection lifecycle stages via command-line arguments.
* **Payload Delivery:** Drops components including a monitoring module, persistence modules, security tool termination routines, and the core XMRig miner DLL.
* **Cryptocurrency Mining:** Utilizes a bespoke XMRig miner variant focused on maximizing RandomX hashrate.
### Advanced Features
* **BYOVD Exploit:** Leverages a legitimate but flawed driver (`[WinRing0x64.sys]`) vulnerable to **CVE-2020-14979** for privilege escalation, allowing low-level CPU configuration adjustments (boosting mining performance by 15% to 50%).
* **Worm Functionality:** Actively spreads to other systems via removable storage devices, enabling lateral movement even in air-gapped networks.
* **Logic Bomb/Controlled Decommissioning:** Features a time-based logic bomb. If the system time is after December 23, 2025, the malware executes the `barusu` argument, terminating all components and deleting files ("controlled decommissioning").
* **Process Malice:** Uses legitimate mechanisms, such as sideloading the miner DLL via a legitimate Windows Telemetry service executable.
* **Resiliency:** Modular design ensures persistence mechanisms and the miner can restart if the primary process is killed (indicated by the `016` argument).
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: `[WinRing0x64.sys]` (Legitimate but vulnerable driver used).
- Registry Keys: Not explicitly mentioned, but persistence implies use of standard Windows mechanisms.
- Network Indicators: Not explicitly available, as the focus is on payload and execution, but C2 infrastructure likely supported the modes switches.
- Behavioral Indicators:
* Process attempting to inject a DLL into a Windows Telemetry service executable.
* Execution of the dropper binary with specific command-line arguments (`No parameters`, `002 Re:0`, `016`, `barusu`).
* Detection of the exploitation of **CVE-2020-14979** vulnerability in the target driver.
* Spikes in CPU utilization typical of aggressive Monero high-hashrate mining.
* Attempted file writing/replication on removable storage devices.
## Associated Threat Actors
The text does not name a specific threat actor group, only stating that Trellix researchers disclosed the campaign.
## Detection Methods
- Signature-based detection: Creating signatures for the bespoke XMRig payload and dropper hash(es).
- Behavioral detection: Monitoring for abuse of system services (like the Telemetry executable) for DLL sideloading, and detection of the privilege escalation chain involving CVE-2020-14979 exploitation.
- YARA rules: Can be written to detect specific strings or binary structures within the custom dropper or miner components.
## Mitigation Strategies
- **Patching/Vulnerability Management:** Ensure all drivers, especially those used by legitimate services, are patched to mitigate known vulnerabilities like CVE-2020-14979.
- **Application Control:** Restrict the execution of unsigned or untrusted executables, particularly those downloaded unexpectedly.
- **Endpoint Security:** Employ robust EDR solutions capable of detecting kernel/driver exploitation (BYOVD) and aggressive resource hijacking.
- **Preventing Worm Spread:** Ensure removable media scanning and write protection policies are enforced to block lateral spread via external drives.
- **User Awareness:** Increase vigilance against social engineering lures involving pirated or "free" premium software.
## Related Tools/Techniques
* **XMRig:** The underlying open-source Monero mining software, often abused by cryptojackers.
* **Bring Your Own Vulnerable Driver (BYOVD):** An established technique used to bypass security controls and achieve kernel-level execution/privilege escalation.
* **Wormable Malware:** Similar characteristics found in commodity malware that leverages removable media for self-propagation.
* **CVE-2020-14979:** The specific vulnerability exploited in the WinRing0 driver.