Darktrace’s autonomous detection system first flagged suspicious activity when a desktop initiated an unusual HTTP connection using a PowerShell user agent.
The investigation traced the threat actor’s efforts to launch NBMiner, an advanced cryptomining program, using an intricately obfuscated script chain.
The attack began with the download of a PowerShell script, “infect.ps1”, from endpoint 45.141.87[.]195:8000. The script dropped both legitimate and malicious binaries in the user’s AppData directory, including a signed copy of AutoIt.exe and multiple encoded payloads.
The attack’s most distinctive feature was its exploitation of Windows’ built-in Character Map (charmap.exe).
Attackers used an AutoIt loader to inject the miner code directly into the process space of charmap.exe, a trusted system utility, thereby evading antivirus scrutiny, particularly when Windows Defender was the only antivirus software running.
The loader decrypted a hidden miner, executed a series of checks (including task manager presence, user privileges, and antivirus), and bypassed User Account Control prompts using a Fodhelper bypass for elevation.
Stopping a Stealthy Cryptojacking Campaign
Once launched, the cryptominer operated stealthily by hiding its process window and automatically connecting to external mining pools, such as asia.ravenminer.com and monerooceans[.]stream, to generate profits for the attacker.
The malware was programmed to ensure persistence, re-download itself if terminated, and start mining swiftly upon execution.
Darktrace’s platforms observed the infected device’s patterns, including DNS requests and high-frequency connections to known Monero mining endpoints, which triggered multiple high-fidelity alerts. Rapid Autonomous Response was key.
Darktrace immediately blocked the device’s outbound communications, preventing the malware from establishing a connection to the mining pool and halting over 130 attempted calls to external endpoints in their tracks.
Malware analyses revealed heavy obfuscation, the use of legitimate binaries for side-loading, registry key manipulation for persistence, and process injection into trusted Windows applications —tactics designed to frustrate both analysts and static detection tools.
Expert Insights and Lessons Learned
This case underscores the rising threat of adaptive cryptojacking malware, a danger easily overlooked as a benign compliance issue, but with the capacity to drain productivity, increase energy bills, and create substantial privacy risks.
Darktrace’s AI-driven, anomaly-based detection was able to catch the attack in its infancy, mapping the entire kill chain and delivering a rapid, automated mitigation.
As cryptomining becomes increasingly lucrative, organizations must remain vigilant with advanced, AI-enabled defensive capabilities to detect and halt these stealthy, resource-draining attacks at the earliest possible stage.
List of Indicators of Compromise (IoCs)
(IoC – Type – Description + Confidence)
· 45.141.87[.]195:8000/infect.ps1 – IP Address, Destination Port, Script – Malicious PowerShell script
· gulf.moneroocean[.]stream – Hostname – Monero Endpoint
· monerooceans[.]stream – Hostname – Monero Endpoint
· 152.53.121[.]6:10001 – IP Address, Destination Port – Monero Endpoint
· 152.53.121[.]6 – IP Address – Monero Endpoint
· https://api[.]chimera-hosting[.]zip/frfnhis/zdpaGgLMav/nbminer[.]exe – Hostname, Executable File – NBMiner
· Db3534826b4f4dfd9f4a0de78e225ebb – Hash – NBMiner loader
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Windows Character Map Malware - Darktrace’s autonomous detection system first flagged suspicious activity when a desktop initiated an unusual.){kind=link}