Darktrace has identified a new type of cryptojacking activity that can bypass Windows Defender.

According to CoinWorld, the cybersecurity company Darktrace has discovered a new cryptojacking activity aimed at bypassing Windows Defender and deploying crypto mining software. Darktrace researchers Keanna Grelicha and Tara Gould explained in a report shared with crypto.news that this cryptojacking activity was first identified in late July, involving a multi-stage infection chain that stealthily hijacks the computational power of computers to mine crypto assets. The researchers stated that the activity specifically targets Windows-based systems, utilizing PowerShell (Microsoft's built-in command-line shell and scripting language), allowing malicious actors to run malware scripts and gain privileged access to the host system. These malicious scripts are designed to run directly in system memory (RAM), thus traditional antivirus tools that typically rely on scanning files on the system hard drive are unable to detect the malicious processes. Subsequently, the attackers inject the malicious payload into legitimate Windows processes using the AutoIt programming language (a tool often used by IT professionals to automate tasks on Windows), then download and execute crypto mining programs without leaving obvious traces on the system. As an additional defensive measure, the payload is programmed to perform a series of environmental checks, such as scanning for signs of sandbox environments and checking for installed antivirus products on the host. Execution will only continue if Windows Defender is the only active protection. Moreover, if the infected user account lacks administrative privileges, the program attempts to bypass User Account Control to gain higher access. When these conditions are met, the program downloads and executes NBMiner, a well-known crypto mining tool that utilizes the computer's graphics processing unit to mine crypto assets such as Ravencoin ( RVN ) and Monero ( XMR ). In this instance, Darktrace was able to control the attack through its autonomous response system by "blocking the device from establishing outbound connections and preventing specific connections to suspicious endpoints." Darktrace researchers wrote, "As crypto assets become more popular, as evidenced by the continued overestimation of global crypto market capitalization (close to $4 trillion at the time of writing), threat actors will continue to view crypto mining as a lucrative venture." Back in July, Darktrace flagged a separate activity in which malicious actors employed complex social engineering tactics (such as impersonating legitimate companies) to trick users into downloading modified software that deployed malware to steal crypto assets. Unlike the aforementioned cryptojacking scheme, this method targets both Windows and macOS systems and is executed by unsuspecting victims themselves, believing they are interacting with company insiders.