SilentCryptoMiner Malware Campaign: Disguised as a DPI Bypass Tool

Listen to this Post

In recent cybersecurity reports, Kaspersky researchers unveiled a disturbing trend involving the SilentCryptoMiner malware, which is being distributed under the guise of tools that supposedly bypass internet restrictions. This malicious campaign is not only deceptive in its appearance but also takes advantage of social engineering tactics to infect users with a wide range of malware types, including cryptocurrency miners, RATs (remote access Trojans), and data-stealing tools.

The malware is spread through manipulated archives, which trick users into disabling their security software in order to allow its execution. These archives, often linked by unsuspecting YouTubers and Telegram channels, have resulted in widespread infections, particularly among Russian users. In this article, we will dive into the details of the campaign, how it spreads, and the risks it poses to users.

The SilentCryptoMiner Campaign: Overview and Tactics

Kaspersky’s investigation into the increased use of Windows Packet Divert (WPD) tools by cybercriminals revealed that these tools were being employed to spread SilentCryptoMiner. This miner is disguised as a tool that allows users to bypass internet restrictions, a topic that has become increasingly popular in certain regions. However, once users download the tool, it installs a variety of malicious payloads.

The malware is typically distributed in archives, accompanied by fake installation instructions that encourage users to disable their antivirus protection. This social engineering tactic allows a range of harmful software—such as stealers, Trojans, RATs, and crypto miners—to persist on victims’ systems without being detected. The most commonly seen malware families in this campaign include NJRat, XWorm, Phemedrone, and DCRat.

SilentCryptoMiner itself is a covert cryptocurrency miner based on the open-source XMRig miner. It operates by stealthily mining multiple cryptocurrencies, including Ethereum (ETH), Ethereum Classic (ETC), Monero (XMR), and others, without the user’s consent or knowledge. The miner uses a technique called process hollowing, where it injects itself into an existing system process (like dwm.exe), making detection much harder.

Kaspersky researchers noted that over 2,000 victims had been identified in Russia, although the actual number may be far higher. The campaign was further spread by a YouTuber with 60,000 subscribers, who unknowingly posted a link to a malicious archive in their videos, which amassed over 400,000 views before the link was taken down.

The attackers distributed the malware through a malicious site, gitrok[.]com, where over 40,000 downloads of the infected archive were recorded. To add to the complexity, attackers manipulated YouTubers by falsely claiming copyright strikes and threatening to shut down their channels unless they promoted the malicious links.

Technical Insights: How the Malware Works

The infected archives contain a modified start script that tricks users into disabling antivirus protections. Once executed, the first-stage malware is a Python-based loader, packed with PyInstaller and sometimes obfuscated using PyArmor. This loader fetches the second-stage payload from hardcoded domains, executing it as t.py in a temporary folder.

One particularly concerning aspect of the campaign is that the payload is only accessible from Russian IP addresses, suggesting that the attackers may be specifically targeting Russian users. The downloaded payload, identified as di.exe, is a sample of SilentCryptoMiner, which is capable of mining various cryptocurrencies like ETH, ETC, XMR, and others, using several algorithms.

SilentCryptoMiner operates in the background with stealth mechanisms such as process hollowing, where it injects the mining code into legitimate system processes to avoid detection. It can stop mining if certain processes are active and is controlled remotely via a web panel. Additionally, the malware can detect virtualized environments, preventing execution in such scenarios, and it frequently checks for updates, retrieving them every 100 minutes.

What Undercode Says:

This particular malware campaign is not only concerning due to its deceptive nature but also because of its potential to spread more complex threats in the future. While the primary goal of this attack seems to be mining cryptocurrencies, the same vector could easily be used to distribute more dangerous malware, including tools for data theft and additional remote access Trojans (RATs).

The use of DPI bypass tools (which are usually employed to evade censorship or internet restrictions) to distribute malware is an alarming trend. These tools have an inherent appeal to users in regions where internet access is tightly controlled, making them more likely to download and install such tools without considering the risks. This makes the tactic highly effective, as it preys on a specific group of users who might be more inclined to disable security protections in order to use the tool.

Furthermore, the involvement of YouTubers and Telegram channels in spreading this malware shows just how widespread the threat is. Even legitimate content creators with large followings can unknowingly contribute to the propagation of malicious campaigns. In this case, the YouTubers were manipulated into sharing links under the false pretense of copyright-related threats, further underlining the social engineering component of the attack.

From a technical perspective, the ability of SilentCryptoMiner to remain hidden by using system process injection and by halting mining operations when certain programs are running is a clear sign of the sophistication of the threat. This type of behavior shows that the attackers are not just looking to infect as many systems as possible; they are also actively trying to avoid detection by security software and monitoring tools.

What’s also concerning is the attack’s geographic focus. While Russia appears to be the primary target, the technique and tools used could be adapted for use in other regions as well. The fact that the malware is served through a site like gitrok[.]com and linked through popular platforms like YouTube suggests that the reach of this campaign could be global. As such, users in other countries could easily fall victim to similar attacks if the same techniques are employed.

Fact Checker Results:

– Malware Distribution:

  • Targets and Reach: Over 40,000 downloads of the infected archive were recorded, with a primary focus on Russian users.
  • Stealth Techniques: SilentCryptoMiner’s use of process hollowing and encryption techniques makes it difficult for traditional antivirus software to detect the threat effectively.

References:

Reported By: https://securityaffairs.com/175169/breaking-news/miner-campaign-targeting-russian-users-with-silentcryptominer.html
Extra Source Hub:
https://www.facebook.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2

Join Our Cyber World:

Whatsapp
TelegramFeatured Image