Article Details

SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools. A new mass malware campaign is infecting users with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a tool designed to circumvent internet blocks and restrictions around online services. Russian cybersecurity company Kaspersky said the activity is part of a larger trend where cybercriminals are increasingly leveraging Windows Packet Divert (WPD) tools to distribute malware under the guise of restriction bypass programs. "Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives," researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev said. "This plays into the hands of attackers by allowing them to persist in an unprotected system without the risk of detection." The approach has been used as part of schemes that propagate stealers, remote access tools (RATs), trojans that provide hidden remote access, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat. The latest twist in this tactic is a campaign that has compromised over 2,000 Russian users with a miner disguised as a tool for getting around blocks based on deep packet inspection (DPI). The program is said to have been advertised in the form of a link to a malicious archive via a YouTube channel with 60,000 subscribers. In a subsequent escalation of the tactics spotted in November 2024, the threat actors have been found impersonating such tool developers to threaten channel owners with bogus copyright strike notices and demand that they post videos with malicious links or risk getting their channels shut down due to supposed infringement. "And in December 2024, users reported the distribution of a miner-infected version of the same tool through other Telegram and YouTube channels, which have since been shut down," Kaspersky said. The booby-trapped archives have been found to pack an extra executable, with one of the legitimate batch scripts modified to run the binary via PowerShell. In the event antivirus software installed in the system interferes with the attack chain and deletes the malicious binary, users are displayed an error message that urges them to re-download the file and run it after disabling security solutions. The executable is a Python-based loader that's designed to retrieve a next-stage malware, another Python script that downloads the SilentCryptoMiner miner payload and establishes persistence, but not before checking if it's running in a sandbox and configuring Windows Defender exclusions. The miner, based on the open-source miner XMRig, is padded with random blocks of data to artificially inflate the file size to 690 MB and ultimately hinder automatic analysis by antivirus solutions and sandboxes. "For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe)," Kaspersky said. "The malware is able to stop mining while the processes specified in the configuration are active. It can be controlled remotely via a web panel."