Wormable XMRig + BYOVD: Analyzing the new logic bomb campaign
Just caught the write-up on The Hacker News regarding this new wormable XMRig campaign. It's a textbook case of why software licensing enforcement is security, not just compliance.
The campaign uses pirated software bundles as the initial vector, but the real kicker is the multi-stage payload involving BYOVD (Bring Your Own Vulnerable Driver) to disable EDR and a time-based logic bomb to manage the mining schedule.
Technical Breakdown
- Vector: Pirated software bundles/cracked installers.
- Persistence: Bespoke dropper + scheduled tasks.
- Defense Evasion: BYOVD exploit loading a known vulnerable signed driver to kill AV processes.
- Payload: XMRig variant with wormable capabilities (likely exploiting unpatched SMB or RPC for lateral spread).
The 'logic bomb' aspect is particularly nasty—it likely checks system time before spiking CPU usage to blend in with off-hours maintenance windows, making it harder to catch during standard business hours.
Hunting/Detection
We should be hunting for the driver loading events. Here is a quick PowerShell snippet to scan for common vulnerable drivers often associated with BYOVD attacks:
# Hunt for known vulnerable BYOVD drivers
$vulnerableDrivers = "RTCore64.sys", "DBUtil_2_3.sys", "AsIO3.sys", "gdrv.sys"
Get-WindowsDriver -Online | Where-Object {
$vulnerableDrivers -contains $_.OriginalFileName
} | Select-Object ProviderName, Driver, Version, Date
You should also correlate this with suspicious process parent-child relationships, specifically looking for generic Windows utilities spawning the miner:
DeviceProcessEvents
| where InitiatingProcessFileName in ("msiexec.exe", "rundll32.exe", "powershell.exe")
| where FileName == "xmrig.exe" or SHA256 has_any ("XMRig", "Monero")
| project DeviceName, Timestamp, InitiatingProcessFileName, FileName, ProcessCommandLine
Discussion
Most orgs struggle to block pirated software on BYOD or unmanaged endpoints. Beyond 'don't install cracked software,' has anyone had success relying strictly on HVCI (Memory Integrity) to block the vulnerable drivers used in BYOVD attacks, or is kernel-level exploitation still winning this race?
HVCI is absolutely crucial here. We saw a similar campaign targeting our dev environment last month. The dropper executed successfully, but the vulnerable driver failed to load because Memory Integrity was enforced on the endpoints. The blue screen of death (or silent failure) when the driver loads is actually a decent detection signature in itself.
Don't forget to check for the logic bomb triggers in the Scheduled Tasks. I've seen samples that create tasks set to run at 02:00 AM. You can hunt for dormant tasks with hidden flags:
Get-ScheduledTask | Where-Object {$_.Settings.Hidden -eq $true} | Select-Object TaskName, TaskPath, Actions
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access