A fresh large malware plan is infecting users with a cryptocurrency miners named SilentCryptoMiner by masquerading it as a tool designed to avoid internet blocks and restrictions around online services.
Russian cybersecurity company Kaspersky said the activity is part of a larger trend where cybercriminals are increasingly leveraging Windows Packet Divert ( ) tools to distribute malware under the guise of restriction bypass programs.
” Such software is often distributed in the form of files with text installation instructions, in which the builders recommend disabling security options, citing false positive”, experts Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev . ” This plays into the hands of adversaries by allowing them to persist in an unprotected program without the risk of diagnosis”.
The approach has been used as part of schemes that propagate stealers, remote access tools (RATs ), trojans that provide hidden remote access, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
The latest twist in this tactic is a campaign that has compromised over 2, 000 Russian users with a miner disguised as a tool for getting around blocks based on deep packet inspection ( DPI). The software is said to have been advertised in the form of a link to a harmful library via a YouTube channel with 60, 000 members.
In a later increase of the tactics spotted in November 2024, the threat actors have been found impersonating such application developers to threaten channel owners with false rights hit notices and demand that they publish videos with malicious links or risk getting their channels shut down due to supposed infringement.
” And in December 2024, users reported the distribution of a miner-infected version of the same tool through other Telegram and YouTube channels, which have since been shut down”, Kaspersky said.
The booby-trapped archives have been found to pack an extra executable, with one of the legitimate batch scripts modified to run the binary via Power Shell. In the event antivirus software installed in the system interferes with the attack chain and deletes the malicious binary, users are displayed an error message that urges them to re-download the file and run it after disabling security solutions.
The executable is a Python-based loader that’s designed to retrieve a next-stage malware, another Python script that downloads the SilentCryptoMiner miner payload and establishes persistence, but not before checking if it’s running in a sandbox and configuring Windows Defender exclusions.
The miner, based on the open-source miner XMRig, is padded with random blocks of data to artificially inflate the file size to 690 MB and ultimately hinder automatic analysis by antivirus solutions and sandboxes.
” For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process ( in this case, dwm. exe )”, Kaspersky said. ” The malware is able to stop mining while the processes specified in the configuration are active. It can be controlled remotely via a web panel”.