好的,我现在需要帮用户总结这篇文章的内容,控制在100个字以内,而且不需要特定的开头。首先,我得仔细阅读文章,抓住主要信息。 文章讲的是一个蠕虫式的XMRig挖矿活动,通过盗版软件传播。他们使用了BYOVD技术,也就是自带易受攻击的驱动程序,来获取内核级别的访问权限。此外,还有一个基于时间的逻辑炸弹作为自毁机制,在2025年12月23日后触发清理程序。 文章还提到这个恶意软件分为多个阶段,包括安装、监控、传播和清理。它通过USB设备传播,当插入设备时会自动复制文件,并创建恶意快捷方式。这样就能在其他计算机上执行恶意软件,进一步扩散。 此外,这个挖矿活动还优化了CPU设置,以提高Monero的挖矿效率。研究人员发现这个活动似乎还在测试阶段,并没有大规模爆发。 总结一下,主要内容包括:蠕虫式传播、BYOVD技术、时间炸弹、USB传播以及优化挖矿性能。这些是关键点。 接下来,我需要把这些信息浓缩到100字以内。确保涵盖主要的技术手段和传播方式。同时,语言要简洁明了。 可能的结构是:介绍攻击方式(蠕虫式)、使用的工具(BYOVD)、传播途径(盗版软件和USB)、自毁机制(时间炸弹)以及优化挖矿效果。 最后检查字数是否符合要求,并确保信息准确无误。 </think> 一项蠕虫式加密劫持活动通过盗版软件传播,利用BYOVD技术获取内核访问权限,并设置时间逻辑炸弹以隐藏行踪。该活动通过USB设备扩散,优化CPU设置提升Monero挖矿效率,并计划在2025年12月23日后启动自毁程序清理痕迹。 2026-2-23 18:36:9 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
Wormable XMRig campaign leverages BYOVD and timed kill switch for stealth
Pierluigi Paganini
February 23, 2026
A wormable cryptojacking campaign spreads via pirated software, using BYOVD and a time-based logic bomb to deploy a custom XMRig miner.
Researchers uncovered a wormable cryptojacking campaign that spreads through pirated software bundles to deploy a custom XMRig miner. The attack uses a BYOVD exploit and a time-based logic bomb to evade detection and maximize mining output. Its multi-stage infection chain focuses on boosting cryptocurrency hashrate, often pushing infected systems to instability in the process.
The campaign spreads through pirated “premium” software installers that drop a sophisticated XMRig-based miner. At its core is a controller binary, Explorer.exe, designed as a persistent state machine that switches roles via command-line arguments (installer, watchdog, active infection, cleanup).
“The “Explorer.exe” binary functions as the primary orchestration node for the infection. In traditional malware design, functionality is often compartmentalized into a linear execution flow: a dropper downloads a payload, executes it, and exits. Explorer.exe (controller), however, operates as a persistent state machine.” reads the report published by Trellix. “It determines its behavioral mode based on the specific command-line arguments passed to it during execution, allowing a single binary file to serve multiple distinct operational roles within the infection lifecycle: installer, watchdog, payload manager, and cleaner”
It separates logic (“brain”) from payloads (“brawn”), which include the miner, watchdogs, and a vulnerable driver (BYOVD) for kernel access.
The malware abuses a legitimate but vulnerable driver called WinRing0x64.sys using a technique known as BYOVD (Bring Your Own Vulnerable Driver). Instead of creating its own malicious driver, it loads this old, signed driver to gain kernel-level access (Ring 0 access).
With this access, it modifies specific CPU settings (Model Specific Registers) to disable hardware prefetchers that interfere with Monero’s RandomX mining algorithm. Because RandomX relies on random memory access, turning off these features reduces cache conflicts and boosts mining performance by 15% to 50%.
Payloads are embedded in the binary’s resource section, decompressed, written to disk as hidden system files, and disguised as legitimate software. A circular watchdog system ensures components relaunch each other if terminated, aggressively restarting the miner and even killing the real Windows Explorer to disrupt users.
The malware includes a time-based kill switch set to December 23, 2025, triggering a controlled cleanup routine.
“A significant discovery within the sub_14000D180 function is a hardcoded temporal check, serving as a “kill switch” or “time bomb.” This mechanism operates by retrieving the local system time and comparing it against a predetermined deadline: December 23, 2025.” continues the report. “The malware’s behavior diverges based on this date:
- Active phase (Pre-Dec 23, 2025): The malware proceeds with the standard infection routine, installing the persistence modules and launching the miner.
- Expiration phase (Post-Dec 23, 2025): This suggests that the campaign is not intended to be an indefinite operation. It implies a “fire-and-forget” lifecycle, possibly timed to coincide with the expiration of rented Command & Control (C2) infrastructure, a predicted shift in the cryptocurrency market (specifically Monero difficulty adjustments), or a planned transition to a new malware variant.”
This XMRig variant includes a worm module that spreads through USB drives, not just manual downloads. It quietly listens for new removable devices using Windows system notifications instead of constantly scanning for them. When a USB drive is inserted, the malware copies its explorer.exe file onto the device, hides it in a folder, and creates a malicious shortcut disguised as the drive icon. When the USB is opened on another computer, the shortcut can execute the malware, enabling further spread.
The threat actor appears to be testing the infection chain and persistence features, including the “Barusu” kill switch, on a limited number of systems before scaling up. Mining pool data shows one active worker with a modest hashrate, with sporadic activity in November 2025 and a noticeable spike starting December 8, suggesting a fresh rollout or activation of new infected nodes.
“This campaign serves as a potent reminder that commodity malware continues to innovate. By chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.” concludes the report. “The use of the BYOVD technique, in particular, highlights a critical weakness in modern OS security models: the trust placed in signed drivers.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, XMRig Campaign)
如有侵权请联系:admin#unsafe.sh