SilentCryptoMiner

By visiting pirated movie and TV show streaming sites, users are met with a fake alert claiming their video player plugin is out of date. One click on that fake update button kicks off an infection.

the attackers threatened the content creators under the pretext of copyright infringement, demanding that they post videos with malicious links or risk shutdown of their YouTube channels.

The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue. Clicking the link downloaded a ZIP archive.

operators retain full authority to run arbitrary commands or custom shellcode remotely

the original start script general.bat had been modified to run this file using PowerShell.

The malicious executable is a simple loader written in Python and packed into an executable application using PyInstaller. In some cases, the script has been additionally obfuscated using the PyArmor library.

a hidden function inside the file actively triggers a strategic stack overflow ... This overflow systematically builds a customized return-oriented programming chain to decrypt the primary payload

the developers recommend disabling security solutions, citing false positives... In one version, if the security solution on the victim’s device deleted the malicious file, the modified start script displayed the message “File not found, disable all antiviruses and re-download the file, that will help!”

Актуальная версия загружаемого вредоносного ПО представляет собой ZIP-архив, содержащий легитимный .exe-файл и вредоносную DLL-библиотеку. При запуске исполняемого файла библиотека подгружается в его процесс, после чего начинается выполнение вредоносной логики.

To prevent MSRT from being automatically installed during the next update, the DontOfferThroughWUAU parameter is created with a value of 1 under the HKLM\Software\Policies\Microsoft\MRT registry key.

The loader creates a service named DrvSvc and sets its description to that of the legitimate Windows Image Acquisition (WIA) service.

...настраивается автозагрузка копии майнера из этой папки путем добавления записи в HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe).

The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.

The loader creates a service named DrvSvc and sets its description to that of the legitimate Windows Image Acquisition (WIA) service.

...настраивается автозагрузка копии майнера из этой папки путем добавления записи в HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

standard user runs will continuously trigger intrusive privilege prompts . This aggressive routine loops every three minutes until the victim yields control

In some cases, the script has been additionally obfuscated using the PyArmor library.

The miner configuration is Base64-encoded and encrypted using the AES-CBC algorithm

They started distributing malware under the guise of restriction bypass programs and injecting malicious code into existing programs.

The loader creates a service named DrvSvc and sets its description to that of the legitimate Windows Image Acquisition (WIA) service.

For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe).

The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.

For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe).

Scanning the current environment for artifacts of running on a virtual machine or in a sandbox. The loader compares system data... with predefined lists of values used by virtual environments.

Only after receiving a specific approval signal from the server does the malware proceed, showing that attackers carefully filter targets to avoid tripping security test environments.

this shellcode reflectively loads the main module completely inside system memory

To prevent MSRT from being automatically installed during the next update, the DontOfferThroughWUAU parameter is created with a value of 1 under the HKLM\Software\Policies\Microsoft\MRT registry key.

the main module gathers basic processor metadata and disk serial numbers

Scanning the current environment for artifacts of running on a virtual machine or in a sandbox. The loader compares system data... with predefined lists of values used by virtual environments.

Only after receiving a specific approval signal from the server does the malware proceed, showing that attackers carefully filter targets to avoid tripping security test environments.

It then transmits this hardware information by utilizing advanced DNS tunneling techniques

The loader retrieves the URL of the next-stage payload from a hardcoded path on one of two domains... After the download, it saves the payload named t.py in a temporary directory and runs it.

It can be controlled remotely via a web panel.

This agent utilizes dynamically generated domains to receive administrative instructions

The core payload is a modified version of an open-source cryptocurrency miner called SilentCryptoMiner. Once active, it silently uses the victim’s CPU and GPU to mine cryptocurrency without the user noticing.

If running with administrator rights, the threat disables built-in operating system security utilities . It actively deletes Microsoft’s Malicious Software Removal Tool

Adding the AppData directory to Microsoft Defender exclusions.