Article Details
SilentCryptoMiner Malware Campaign
A newly discovered mass malware campaign has been found to be infecting users with a cryptocurrency miner known as SilentCryptoMiner, by disguising it as a tool designed to bypass internet blocks and restrictions on online services.
According to Russian cybersecurity company Kaspersky, this activity is part of a larger trend where cybercriminals are increasingly using Windows Packet Divert (WPD) tools to distribute malware under the guise of restriction bypass programs.
Researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev note that “such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives. This plays into the hands of attackers by allowing them to persist in an unprotected system without the risk of detection.”
This approach has been used in schemes that propagate stealers, remote access tools (RATs), trojans, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
In a recent campaign, over 2,000 Russian users were compromised with a miner disguised as a tool for bypassing blocks based on deep packet inspection (DPI). The program was advertised through a link to a malicious archive on a YouTube channel with 60,000 subscribers.
In a subsequent escalation, the threat actors have been found to impersonate tool developers, threatening channel owners with bogus copyright strike notices and demanding that they post videos with malicious links or risk getting their channels shut down due to supposed infringement.
Kaspersky reports that “in December 2024, users reported the distribution of a miner-infected version of the same tool through other Telegram and YouTube channels, which have since been shut down.”
The malicious archives contain an extra executable, with one of the legitimate batch scripts modified to run the binary via PowerShell. If antivirus software interferes with the attack chain and deletes the malicious binary, users are displayed an error message urging them to re-download the file and run it after disabling security solutions.
The executable is a Python-based loader that retrieves a next-stage malware, another Python script that downloads the SilentCryptoMiner miner payload and establishes persistence. However, it first checks if it’s running in a sandbox and configures Windows Defender exclusions.
The miner, based on the open-source miner XMRig, is padded with random blocks of data to artificially inflate the file size to 690 MB, hindering automatic analysis by antivirus solutions and sandboxes.
Kaspersky notes that “for stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe). The malware is able to stop mining while the processes specified in the configuration are active
Source Link
