Soon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that was tied to Bitvote.
Apart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack.
The payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms.
The campaign was active in February and March, and so far, it has brought limited returns for attackers.