The new mass malware campaign is infecting users with a cryptocurrency miner named SilentCryptominer by assuming it is a tool designed to bypass internet blocking and restrictions on online services.
Russian cybersecurity company Kaspersky said the activity is part of a major trend that is increasingly leveraging Windows Packet Divert (WPD) tools to distribute malware under the guise of a restriction bypass program.
“This type of software is often distributed in the form of archives with text installation instructions. Developers recommend citing false positives to break security solutions,” said researchers Leonid Bezvaenko, Dmitry Pixz and Oleg Kuplev. “This is something that is in the hands of an attacker by allowing an attacker to last in an unprotected system without the risk of detection.”
This approach has been used as part of schemes that propagate steelers, remote access tools (rats), Trojan horses that provide hidden remote access, and cryptocurrency miners such as NJRAT, XWORM, PHEMEDRONE, and DCRAT.
The latest twist on this tactic is a campaign that compromised over 2,000 Russian users with miners who disguise themselves as tools to remove blocks based on deep packet inspection (DPI). The program is said to have been promoted in the form of links to malicious archives via a YouTube channel with 60,000 subscribers.
A subsequent escalation of tactics discovered in November 2024 led to such tool developers threatening channel owners with notifications of fake copyright strikes, and threat actors have been discovered who have asked to post videos with malicious links or risk shutting down the channel due to assumptions of infringement.
“And in December 2024, users reported the distribution of versions infected with miners of the same tool via other telegrams and YouTube channels.
The booby trapped archive is known to pack additional executables using one of the legitimate batch scripts that have been modified to run the binary via PowerShell. If anti-virus software installed on your system interferes with the attack chain and removes malicious binaries, the user will receive an error message that prompts them to re-download the file and disable the security solution before running it.
The executable is a Python-based loader designed to get another Python script that downloads the payload of the SilentCryptominer minor and establishes persistence, another Python script, but not before you check if it runs in a sandbox and configures Windows Defender exclusion.
Minors based on the open source minor XMRIG padded with random data to artificially inflate the file size to 690 MB, ultimately preventing automatic analysis by antivirus solutions and sandboxes.
“In Stealth, SilentCryptominer employs a process to inject minor code into the system process (in this case DWM.EXE),” says Kaspersky. “Malware can stop mining while the process specified in the configuration is active. It can be controlled remotely via the web panel.”
Source link
