Introduction
Cryptojacking has evolved from a browser-based nuisance to a system-level threat using advanced malware techniques. A new campaign leverages social engineering and removable media to spread across air-gapped systems.
Infection Chain and Malware Behavior
The infection starts with cracked “premium” productivity suites distributed via pirated software bundles, where the user executes what appears to be a legitimate installer. Hidden inside is a dropper that deploys a controller binary named Explorer.exe (MD5: bb97dfc3e5fb8109bd154c2b2b2959da), which acts as the brain of the operation, orchestrating installation, persistence, mining, and cleanup.
Explorer.exe behaves like a state machine driven by command-line parameters. The malware’s internal modes are exposed through anime-inspired flags such as “002 Re:0” (active infection), “016” (maintenance), and “barusu” (cleanup).
Malware Propagation Mechanisms
The campaign chains social engineering, worm-like propagation over removable media, and a Bring Your Own Vulnerable Driver (BYOVD) technique to maximize hashrate while making removal extremely difficult. A built-in time bomb checks the system date against a hardcoded deadline of 23 December 2025, after which the malware pivots into decommissioning behavior.
File Inventory and Persistence
The malware carries its entire toolkit in its PE resource section. Once installed, Explorer.exe enters a tight orchestration loop that constantly checks for the miner process and randomly launches “keeper” binaries (edge.exe, wps.exe, ksomisc.exe) to maintain persistence.
Worm Module
The malware listens for WM_DEVICECHANGE notifications and DBT_DEVICEARRIVAL events to detect newly attached removable drives. When a USB drive or external disk is inserted, the malware copies its explorer.exe payload, creates a hidden folder, and abuses shortcut .lnk files to trick users into executing the malware on new hosts.
Performance Optimization
The attackers bring their own vulnerable driver: WinRing0x64.sys version 1.2.0, affected by CVE-2020-14979. This driver exposes a device object with overly permissive access controls, enabling unprivileged processes to issue IOCTLs that read and write arbitrary memory and control low-level processor registers.
Monetization and Operational Outlook
All compromised nodes are funneled into the Kryptex mining pool at xmr-sg.kryptex.network:8029. The handshake happens via ShellExecuteExW and passing a list of target process names as command-line arguments.
Defensive Measures
To disrupt similar operations, hardened device-control policies for USB media, driver-block rules for known vulnerable modules like WinRing0x64.sys, and strict monitoring for masqueraded telemetry and office processes are essential.