A sophisticated malware campaign has been uncovered, exploiting the growing popularity of Windows Packet Divert drivers for bypassing internet restrictions.
Cybercriminals are distributing the SilentCryptoMiner malware disguised as legitimate tools, affecting over 2,000 victims in Russia alone.
The attack vector involves manipulating YouTubers with large followings to distribute malicious links.
In one instance, a YouTuber with 60,000 subscribers posted videos containing links to infected archives, garnering over 400,000 views.
The malicious files were hosted on gitrok[.]com, with the download counter exceeding 40,000.
Blackmail Tactics and Infection Chain
Attackers have employed a new distribution scheme, sending copyright strikes to content creators and threatening channel shutdowns unless they post videos with malicious links.
This tactic leverages the reputation of popular YouTubers to spread the malware further.
The infection chain begins with a modified start script that runs an additional executable file using PowerShell.
%20and%20modified%20(right)%20general.bat%20start%20script.webp)
According to Secure List Report, this loader, written in Python and packed with PyInstaller, retrieves the next-stage payload from hardcoded domains.
The second-stage loader performs environment checks, adds exclusions to Microsoft Defender, and downloads the final payload SilentCryptoMiner.
SilentCryptoMiner: A Stealthy Cryptocurrency Mining Threat
SilentCryptoMiner, based on the open-source XMRig miner, is capable of mining multiple cryptocurrencies using various algorithms.
It employs process hollowing techniques to inject miner code into system processes for stealth.
The malware includes features to evade detection, such as stopping mining when specific processes are active and checking for virtual environment indicators.
The miner’s configuration is encrypted and includes parameters for mining algorithms, URLs, and lists of programs that trigger temporary mining cessation.
It periodically retrieves remote configurations, allowing attackers to dynamically adjust its behavior.
This campaign highlights the evolving tactics of cybercriminals, who are now exploiting the demand for restriction bypass tools to distribute malware.
While this particular campaign focuses on cryptocurrency mining, the same vector could potentially be used for more severe attacks, including data theft and additional malware deployment.
As the threat landscape continues to evolve, users must exercise caution when downloading and using tools from untrusted sources, even when recommended by seemingly reputable content creators.
The incident serves as a reminder of the ongoing need for vigilance in the face of increasingly sophisticated cyber threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup ->Â Try for free
