New mass malicious campaign – infects users named miner cryptocurrency Silentcryptominer Making it as a tool designed to bypass Internet units and restrictions around the Internet service.
Cyberski Russian Cyosporsky said activity is part of a greater trend when cybercrime is increasingWpd) Tools for distribution of malware under the guise of bypass restriction programs.
“Such software is often distributed as archives with the instructions for the installation of the text in which the developers recommend that the security decisions, citing false positives,” – researchers Leonid Bezverchenko, Dmitry Pikush and Oleg Kupreeviev – Note. “This plays in the hands of the attackers, allowing them to be stored in an unprotected system without the risk of detection.”
The approach was used within the frames that distribute the theft, remote access tools (rats), Trojan, providing hidden remote access, and miners cryptocurrencies such as NJRAT, XWOMM, PHEMEDRON and DCRAT.
The last turn in this tactic is a company that has compromised more than 2000 Russian users with a miner, masked in the tool for handling blocks based on packages (DPI). The program is said to be advertised as a link to the malicious archive through the YouTube channel with 60,000 subscribers.
In the subsequent escalation of the tactics, noticed in November 2024, the threats subjects were found that such as developers threaten the channels of channel reports about the author’s rights and demand to go in videos with harmful connections or risk closing their channels.
“In December 2024, the users reported the distribution of the miner, the infected version of the same instrument through other YouTube telegrams and channels that have been closed since then,” Kaspersky said.
It was found that the archives undergoing the fasteners were packed with an additional executable file, with one of the legitimate packaging scenarios changed to launch binary via Powershell. In case the antivirus software installed on the system interferes with the attack chain and removes malicious binary, users reflect the error message calling them to overload the file and run it after disabling security.
The executive file is a Python-based loader, which is designed to search for malicious software, another Python scenario that loads the useful load of Silentcryptominer Miner and sets up, but it does not work in the sandbox and tunes Windows Defender.
Shakhtar, based on an open source Xmrig, subjected to random data blocks to artificially inflate the file size up to 690 MB and eventually prevents automatic analysis from antiviral solutions and sandy.
“For SilentcryPomplower, SilentcryPlower uses the process that exposes to bring the miner code into the system process (in this case, dwm.exe),” Kaspersky said. “Malicious software can stop mining as long as the processes indicated in the configuration are active. It can be monitored by the web panel.”
