A brand new mass malware marketing campaign is infecting customers with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a device designed to bypass web blocks and restrictions round on-line companies.
Russian cybersecurity firm Kaspersky stated the exercise is a component of a bigger development the place cybercriminals are more and more leveraging Home windows Packet Divert (WPD) instruments to distribute malware underneath the guise of restriction bypass packages.
“Such software program is commonly distributed within the type of archives with textual content set up directions, wherein the builders suggest disabling safety options, citing false positives,” researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev stated. “This performs into the fingers of attackers by permitting them to persist in an unprotected system with out the chance of detection.”
The method has been used as a part of schemes that propagate stealers, distant entry instruments (RATs), trojans that present hidden distant entry, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
The most recent twist on this tactic is a marketing campaign that has compromised over 2,000 Russian customers with a miner disguised as a device for getting round blocks primarily based on deep packet inspection (DPI). This system is alleged to have been marketed within the type of a hyperlink to a malicious archive through a YouTube channel with 60,000 subscribers.
In a subsequent escalation of the techniques noticed in November 2024, the menace actors have been discovered impersonating such device builders to threaten channel house owners with bogus copyright strike notices and demand that they publish movies with malicious hyperlinks or threat getting their channels shut down on account of supposed infringement.
“And in December 2024, customers reported the distribution of a miner-infected model of the identical device via different Telegram and YouTube channels, which have since been shut down,” Kaspersky stated.
The booby-trapped archives have been discovered to pack an additional executable, with one of many official batch scripts modified to run the binary through PowerShell. Within the occasion antivirus software program put in within the system interferes with the assault chain and deletes the malicious binary, customers are displayed an error message that urges them to re-download the file and run it after disabling safety options.
The executable is a Python-based loader that is designed to retrieve a next-stage malware, one other Python script that downloads the SilentCryptoMiner miner payload and establishes persistence, however not earlier than checking if it is working in a sandbox and configuring Home windows Defender exclusions.
The miner, primarily based on the open-source miner XMRig, is padded with random blocks of knowledge to artificially inflate the file dimension to 690 MB and in the end hinder computerized evaluation by antivirus options and sandboxes.
“For stealth, SilentCryptoMiner employs course of hollowing to inject the miner code right into a system course of (on this case, dwm.exe),” Kaspersky stated. “The malware is ready to cease mining whereas the processes specified within the configuration are energetic. It may be managed remotely through an internet panel.”