A brand new mass malware marketing campaign is infecting customers with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a software designed to avoid web blocks and restrictions round on-line companies.
Russian cybersecurity firm Kaspersky mentioned the exercise is a component of a bigger pattern the place cybercriminals are more and more leveraging Home windows Packet Divert (WPD) instruments to distribute malware below the guise of restriction bypass applications.
“Such software program is commonly distributed within the type of archives with textual content set up directions, by which the builders suggest disabling safety options, citing false positives,” researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev mentioned. “This performs into the palms of attackers by permitting them to persist in an unprotected system with out the danger of detection.”
The strategy has been used as a part of schemes that propagate stealers, distant entry instruments (RATs), trojans that present hidden distant entry, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
The most recent twist on this tactic is a marketing campaign that has compromised over 2,000 Russian customers with a miner disguised as a software for getting round blocks based mostly on deep packet inspection (DPI). This system is claimed to have been marketed within the type of a hyperlink to a malicious archive by way of a YouTube channel with 60,000 subscribers.
In a subsequent escalation of the techniques noticed in November 2024, the risk actors have been discovered impersonating such software builders to threaten channel house owners with bogus copyright strike notices and demand that they put up movies with malicious hyperlinks or threat getting their channels shut down attributable to supposed infringement.
“And in December 2024, customers reported the distribution of a miner-infected model of the identical software by different Telegram and YouTube channels, which have since been shut down,” Kaspersky mentioned.
The booby-trapped archives have been discovered to pack an additional executable, with one of many respectable batch scripts modified to run the binary by way of PowerShell. Within the occasion antivirus software program put in within the system interferes with the assault chain and deletes the malicious binary, customers are displayed an error message that urges them to re-download the file and run it after disabling safety options.
The executable is a Python-based loader that is designed to retrieve a next-stage malware, one other Python script that downloads the SilentCryptoMiner miner payload and establishes persistence, however not earlier than checking if it is operating in a sandbox and configuring Home windows Defender exclusions.
The miner, based mostly on the open-source miner XMRig, is padded with random blocks of information to artificially inflate the file dimension to 690 MB and in the end hinder computerized evaluation by antivirus options and sandboxes.
“For stealth, SilentCryptoMiner employs course of hollowing to inject the miner code right into a system course of (on this case, dwm.exe),” Kaspersky mentioned. “The malware is ready to cease mining whereas the processes specified within the configuration are lively. It may be managed remotely by way of an online panel.”