VERY IMPORTANT

A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive installers masquerading as office software. The modular design enhances resilience, with multiple watchdog processes for persistence. A notable feature is the exploitation of a vulnerable signed driver (CVE-2020-14979) to gain kernel-level access, boosting Monero mining performance by 15% to 50%. The campaign connects to the Kryptex mining pool and uses a Monero wallet for payouts. Organizations are advised to enable Microsoft's vulnerable driver blocklist and implement other protective measures.