Threat Research

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

GDataSecurity
Digging Gold with a Spoon – Resurgence of Monero-mining Malware

A recent resurgence of XMRig cryptominer malware was observed in April 2025, coinciding with a rally in Monero cryptocurrency prices and a major bitcoin theft converted to Monero. The malware employs multi-staged attacks utilizing LOLBAS techniques and Windows built-in tools to achieve persistence and evade detection. #XMRig #Monero #notif_su

Keypoints

  • The resurgence of XMRig cryptominer malware followed a significant increase in Monero (XMR) cryptocurrency value in early 2025.
  • The malware utilizes multi-staged attack techniques, including batch scripts and PowerShell commands, to deploy and maintain persistence.
  • LOLBAS techniques leverage legitimate Windows tools like PowerShell and scheduled tasks to evade detection and execute payloads.
  • The malware disables Windows Update services and security scans to prevent removal and maintain long-term presence on infected systems.
  • Initial infection vector remains unknown, but execution begins with svchost.exe running a batch file (1.cmd) which downloads further scripts from a malicious domain notif[.]su.
  • Malicious XMRig binaries drop copies with random filenames and use a legitimate WinRing0 driver for advanced operations and privilege escalation.
  • The malware targets new countries including Belgium, Greece, China, Russia, Azerbaijan, and Uzbekistan.

MITRE Techniques

  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used to execute batch files like 1.cmd and S2.bat for downloading and running payload (‘svchost.exe creates a cmd process that executes the Windows batch file, 1.cmd’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used to download files and execute scripts stealthily (‘…downloads S2.bat to the C:Temp folder using the PowerShell Invoke-WebRequest command’).
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Employed to create persistent scheduled tasks that run payloads with highest privileges (‘creates a scheduled task named “RunS2BatchScript” to run S2.bat with the highest privileges every time the victim machine starts up’).
  • [T1569.002] System Services: Service Execution – Services like Windows Update are stopped to avoid interference (‘S2.bat disables the Windows Update Service by using ‘net stop’ and ‘sc config’ commands’).
  • [T1068] Exploitation for Privilege Escalation – The malware attempts to elevate privileges during execution (‘The script checks whether it is running with administrative privileges and attempts to elevate its own privileges if necessary’).
  • [T1489] Service Stop – Used to stop Windows Update related services to prevent system updates and detection (‘S2.bat disables update-related Windows services’).
  • [T1007] System Service Discovery – The malware checks for running system services to aid its persistence and evasion strategies.
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Windows Defender scanning exclusions are set to skip the C: drive (‘batch file modifies the registry to exclude the C: path from Windows Defender scanning’).
  • [T1012] Query Registry – Registry entries are checked and created for persistence (‘creates registry entry in HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunDJKONTAH’).
  • [T1082] System Information Discovery – The malware performs checks to gather system information to support its activities.
  • [T1571] Non-Standard Port – Communication with malicious domains may involve non-standard ports.

Indicators of Compromise

  • [File Hash] Malicious script and executable hashes – a57688c151a42d8a2b78f72d23ae7e6c2d6a458edd50f0a4649cc630614763b0 (S2.bat), 3acf8d410f30186a800d5e8c3b0b061a6faf7c0939b129d230de42e9034ce6c3 (EFminer.exe), f4386aaa87c922d5d7db28d808ad6471b1c4deb95d82a9e6cfe8421196c5610b (XMRig dropper)
  • [Domain] Malicious command and control domain – notif[.]su, used to download malicious scripts and XMRig binaries.
  • [File Names] Suspicious files created – “dvrctxctzmmr.exe” dropped in %APPDATA%frxpfpjpzvub, “djhtniluoblq.sys” (WinRing0 driver) in %TEMP%, “check.txt” marker file in %TEMP%.
  • [Registry Key] Persistence registry entry – HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunDJKONTAH pointing to dropped miner executable.

Read more: https://www.gdatasoftware.com/blog/2025/07/38228-monero-malware-xmrig-resurgence

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint