Bad actors have become increasingly adept at disguising their attacks as normal system behavior and exploiting default configurations, as demonstrated by a recent cryptojacking attempt. The miscreants attempted to use PowerShell scripts to inject NBMiner into Windows processes and subsequently escalate privileges

“Unlike other widespread attacks such as ransomware, which disrupt operations and block access to data, cryptomining malware steals and drains computing and energy resources for mining to reduce the attacker’s personal costs and increase ‘profits earned from mining,’” researchers from Darktrace discovered this attempted attack during the summer.

“The impact on targeted organizations can be significant, ranging from data privacy concerns and reduced productivity to higher energy bills,” they noted. 

In this latest incident, Darktrace detected and was able to contain an attempted cryptojacking that occurred on the network of one of its customers in the retail and e-commerce industry.

“The threat was detected when a threat actor attempted to use a PowerShell script to download and run NBMiner directly in memory,” the researchers wrote.

Noting that a new PowerShell user agent was used during a connection to an external and rare endpoint — a clear indication that bad actors were attempting remote code execution — Darktrace investigated further. By analyzing the endpoint and the payload downloaded, researchers determined “it was a dropper used to deliver an obfuscated AutoIt loader,” an attribution “further supported by open-source intelligence (OSINT) reporting.”

They noted that “the loader likely then injected NBMiner into a legitimate process on the customer’s environment – the first documented case of NBMiner being dropped in this way.”

Once the payload was downloaded and executed, “the infected device is expected to attempt connections to cryptomining endpoints,” the researchers found.

Experts warn against taking cryptojacking lightly. While it may seem like more of an inconvenience than a major threat, says James Maude, Field CTO at Beyond Trust, “it is a symptom of a broader endpoint security challenge.”

Maude explains that if an endpoint “can be cryptojacked, then credentials, secrets and sessions on that endpoint could also be ‘jacked’ leading to broader identity risks as attackers use these to pivot into the cloud or other systems.” 

Jason Soroko, senior fellow at Sectigo, agrees that organizations should treat modern cryptojacking “as an intrusion signal, not a harmless nuisance” since adversaries “can land through script-based payloads that execute directly in memory and then hide inside trusted Windows processes, while quietly elevating privileges through known UAC weaknesses.”

That’s on top of the real energy and reliability costs the mining payloads create and the cover they can provide “for a broader campaign that scouts the environment and harvest credentials,” Soroko says.

And this particular attack chain, like some others, is harder to detect. It typifies modern threats by “combining scripts with legitimate native tools such as PowerShell as well as signed third-party binaries from trusted vendors,” says Maude. “This hybrid living off the land approach uses legitimate applications alongside some anti-sandboxing evasion techniques, allowing threat actors to effectively evade detection.”

That “sneaky use “of built-in Windows tools shows how attackers are getting better at hiding cryptojacking,” says J Stephen Kowski, Field CTO at SlashNext Email Security.

And while AV and EDR products have improved significantly more recently, Maude says, “there continue to be many ways to evade detection even with the unsubtle approach of naming the malicious script ‘infect.ps1.”

To defend against these attacks, Nathaniel Jones, vice president, security and AI strategy and Field CISO at Darktrace, says organizations should take a layered approach, using a variety of solutions such as Network Detection and Response (NDR) for network traffic analysis, Endpoint Detection and Response (EDR) for real-time endpoint monitoring, and possibly a Security Information and Event Management (SIEM) systems for data correlation. 

“This combination effectively detects cryptojacking activities concealed within legitimate Windows processes by monitoring network patterns, process behavior, and aggregating security events across your environment,” Jones says.

But don’t dally, he warns. “Escalation should be swift and structured,” he says, starting with alerting “your internal security team to contain the threat and launch an investigation,” then bringing in MSSP, if needed, to support deeper analysis and remediation using their expertise and resources. “This layered approach ensures cryptojacking incidents are handled quickly, thoroughly and responsibly,” Jones contends.