Cybercriminals are increasingly leveraging AI chatbots to distribute malware, a new report reveals. Instead of traditional search engine poisoning, malicious actors are now manipulating AI-generated responses to direct unsuspecting users to websites laden with cryptojacking malware. This sophisticated social engineering tactic targets users with high-performance GPUs, aiming to maximize mining profits.

Key Takeaways

• AI chatbots are being used to distribute cryptojacking malware.

• The campaign targets users with high-performance GPUs.

• Malware establishes persistent remote access for further malicious activities.

A New Frontier for Cyberattacks

Microsoft has issued a warning about an active cryptojacking campaign that utilizes AI chatbot interactions as a novel method for surfacing malicious download sites. This emerging delivery technique expands social engineering tactics beyond conventional search results, significantly increasing the visibility of recommended malicious software.

Impersonating Trusted Utilities

The campaign impersonates legitimate system utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. This strategy is designed to appeal to users who own high-performance GPUs, as these systems are more valuable for cryptocurrency mining. The goal is to compromise machines with higher mining potential rather than indiscriminately infecting a large number of devices.

Beyond Mining: Persistent Access

The threat actors' objectives are not solely financial. They have also been observed deploying ScreenConnect to establish persistent remote access to compromised hosts. This access can be leveraged for subsequent malicious activities, including data theft, lateral movement within networks, or the deployment of ransomware.

The Attack Chain

The attack begins when users search for system utilities or hardware-monitoring software. Malicious sites, optimized through SEO poisoning, are presented in search results. More recently, users are being directed to these sites via interactions with large language model (LLM)-based tools. When users query AI chatbots for software download recommendations, they are presented with links to attacker-controlled domains within the generated responses. These sites host a ZIP archive containing a legitimate executable and a malicious DLL. When the executable is launched, the DLL is sideloaded, which then installs ScreenConnect software. Once installed, ScreenConnect establishes a connection to an attacker-controlled server, facilitating the deployment of further malware, including cryptominers.

Sources

• AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites, The Hacker News.

• From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NETutilities, Microsoft.