A brand new mass malware marketing campaign is infecting customers with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a instrument designed to bypass web blocks and restrictions round on-line companies.
Russian cybersecurity firm Kaspersky mentioned the exercise is an element of a bigger pattern the place cybercriminals are more and more leveraging Home windows Packet Divert (WPD) instruments to distribute malware underneath the guise of restriction bypass applications.
“Such software program is commonly distributed within the type of archives with textual content set up directions, during which the builders advocate disabling safety options, citing false positives,” researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev said. “This performs into the palms of attackers by permitting them to persist in an unprotected system with out the chance of detection.”
The method has been used as a part of schemes that propagate stealers, distant entry instruments (RATs), trojans that present hidden distant entry, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
The newest twist on this tactic is a marketing campaign that has compromised over 2,000 Russian customers with a miner disguised as a instrument for getting round blocks based mostly on deep packet inspection (DPI). This system is alleged to have been marketed within the type of a hyperlink to a malicious archive by way of a YouTube channel with 60,000 subscribers.
In a subsequent escalation of the ways noticed in November 2024, the menace actors have been discovered impersonating such instrument builders to threaten channel house owners with bogus copyright strike notices and demand that they publish movies with malicious hyperlinks or danger getting their channels shut down attributable to supposed infringement.
“And in December 2024, customers reported the distribution of a miner-infected model of the identical instrument via different Telegram and YouTube channels, which have since been shut down,” Kaspersky mentioned.
The booby-trapped archives have been discovered to pack an additional executable, with one of many respectable batch scripts modified to run the binary by way of PowerShell. Within the occasion antivirus software program put in within the system interferes with the assault chain and deletes the malicious binary, customers are displayed an error message that urges them to re-download the file and run it after disabling safety options.
The executable is a Python-based loader that is designed to retrieve a next-stage malware, one other Python script that downloads the SilentCryptoMiner miner payload and establishes persistence, however not earlier than checking if it is working in a sandbox and configuring Home windows Defender exclusions.
The miner, based mostly on the open-source miner XMRig, is padded with random blocks of information to artificially inflate the file measurement to 690 MB and finally hinder automated evaluation by antivirus options and sandboxes.
“For stealth, SilentCryptoMiner employs course of hollowing to inject the miner code right into a system course of (on this case, dwm.exe),” Kaspersky mentioned. “The malware is ready to cease mining whereas the processes specified within the configuration are lively. It may be managed remotely by way of an online panel.”
