Wormable XMRig Cryptominer Uses BYOVD Exploit and Time-Based Logic Bomb to Evade Detection

Trellix researchers have disclosed a sophisticated new cryptojacking campaign that deploys a bespoke XMRig miner using a multi-stage infection chain, with BYOVD (Bring Your Own Vulnerable Driver) exploitation, time-based logic bomb triggers, and worm-like lateral movement via external storage devices. The malware enters via social engineering lures advertising pirated premium software, then establishes persistence through multiple triggers before maximising cryptocurrency mining hashrate — often at the cost of destabilising the victim system. The inclusion of worm capabilities that spread via USB and external drives makes this threat particularly relevant to air-gapped and isolated enterprise environments.

Key Takeaways

• Campaign uses BYOVD exploit to load a vulnerable driver, then deploys a bespoke XMRig miner with a time-based logic bomb that delays payload activation to evade sandbox analysis — research by Trellix analyst Aswath A\n· Worm module spreads the malware to external storage devices, enabling lateral movement even in air-gapped environments — entry point is pirated software bundles (fake office productivity suite installers)\n· Multi-stage dropper: social engineering decoy → malicious executable → BYOVD privilege escalation → XMRig deployment with CPU pinning for max mining hashrate; victim systems often destabilised

Original source: The Hacker News / Trellix