BYOVD-Driven XMRig Campaign Employs Time-Based Logic Bombs and Lateral Movement

Technical Analysis of the Multi-Stage Execution Chain

The campaign originates from trojanized software bundles distributed via peer-to-peer networks and gray-market software repositories. Upon execution, the primary dropper initiates a series of PowerShell commands designed to weaken the host’s security posture. This includes the modification of registry keys to disable Windows Defender Real-Time Monitoring and the exclusion of specific file paths from Antimalware Scan Interface (AMSI) hooks.

BYOVD and Kernel-Level Evasion

A defining characteristic of this threat is the utilization of Bring Your Own Vulnerable Driver (BYOVD) tactics. The malware sideloads a signed but vulnerable third-party driver to escalate privileges to Ring 0. This kernel-level access allows the threat actor to directly manipulate system memory, effectively blinding Endpoint Detection and Response (EDR) agents by unhooking user-mode APIs and terminating protected security processes that would otherwise detect the XMRig miner.

Persistence Mechanisms and Logic Bomb Trigger

Persistence is achieved through a combination of Windows Management Instrumentation (WMI) event subscriptions and scheduled tasks disguised as legitimate system updates. The malware employs a time-based logic bomb; the mining payload remains dormant for a randomized interval ranging from 24 to 72 hours. This delay is specifically engineered to bypass sandbox environments and automated malware analysis platforms that typically monitor execution for shorter durations.

Wormable Propagation and Network Exposure

The infection includes a propagation module that attempts to spread laterally across the internal network. It utilizes credential harvesting from the Local Security Authority Subsystem Service (LSASS) memory and scans for open SMB (Port 445) and RDP (Port 3389) services. Organizations should conduct frequent infrastructure scanning and validation using Pocket Pentest to identify exposed services and misconfigurations that facilitate the lateral movement seen in this campaign.

Impact on Host Stability

The bespoke XMRig configuration is tuned for maximum resource extraction, utilizing MSR (Model-Specific Register) implementation and Huge Pages to increase hashing efficiency. This aggressive resource allocation often results in CPU thermal throttling and system instability, which may serve as the primary indicator of compromise for affected organizations.