Malware Alert: SilentCryptoMiner Infects Users with Fake VPN
Detailes
A new large-scale malware campaign is infecting users with a coin mining malware called SilentCryptoMiner, disguised as a VPN tool. Russian cybersecurity company Kaspersky reports that this activity is part of a growing trend where cybercriminals exploit Windows Packet Divert (WPD) tools to spread malware under the guise of programs that bypass internet restrictions.
Researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev stated: "Such software is often distributed as compressed files with installation instructions in text form, where the developer recommends disabling security solutions to avoid false alarms. This allows attackers to operate in unprotected systems without fear of detection."
This tactic has been used in schemes to distribute data stealers, remote access tools (RATs), trojans providing hidden access, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
The Latest Campaign and Sophisticated Tactics
Recently, a campaign has infected over 2,000 Russian users with a coin mining malware disguised as a tool to bypass Deep Packet Inspection (DPI). This program is promoted through a link leading to a malicious compressed file, appearing on a YouTube channel with 60,000 subscribers.
In November 2024, attackers upgraded their tactics by impersonating legitimate tool developers. They sent fake copyright violation notices to YouTube and Telegram channel owners, threatening to shut down their channels unless they posted videos with malicious links. By December 2024, users reported that the malware-infected version of this tool had spread through other Telegram and YouTube channels, although these channels were later closed.
How SilentCryptoMiner Works
The malicious compressed files include an extra executable file, with one of the legitimate scripts modified to run the binary through PowerShell. If antivirus software on the system detects and deletes the malicious file, users receive an error message urging them to download and run the file again after disabling security.
This executable is a Python-based loader designed to fetch the next stage of malware—a different Python script—that downloads SilentCryptoMiner and sets up long-term persistence. Before running, it checks if it's operating in a sandbox environment and sets exceptions for Windows Defender.
This miner, based on the open-source XMRig, adds random data blocks to increase the file size to 690 MB, making it harder for antivirus software and sandboxes to automatically analyze it. Kaspersky states: "To hide itself, SilentCryptoMiner uses the process hollowing technique to inject mining code into a system process (in this case, dwm.exe). The malware can pause mining when processes specified in the configuration are active and is remotely controlled via a web panel."
Future Attack Trends and Risks for Vietnamese Organizations
SilentCryptoMiner is not just a threat in Russia but also has the potential to spread to other countries, including Vietnam, where users increasingly rely on VPN tools to bypass internet access restrictions. With the growth of platforms like YouTube, Telegram, and TikTok in Vietnam, cybercriminals can easily exploit popular social media channels to distribute similar malware.
In the future, attacks may target Vietnamese users by disguising malware as free tools like VPNs, network accelerators, or firewall bypass software. Especially with the increasing trend of cryptocurrency use in Vietnam, hidden miners like SilentCryptoMiner can secretly exploit users' computer resources without detection. Attackers might also take advantage of some users' lack of cybersecurity knowledge, encouraging them to disable security software, thereby expanding the scale of infection.
To protect themselves, Vietnamese users should verify the source of software before downloading, avoid clicking on links from untrustworthy channels, and keep security solutions like antivirus software updated. Authorities should also enhance monitoring and raise public awareness about sophisticated cyber threats like these as digitalization becomes more widespread.
IOCs
MD5 Hash
574ed9859fcdcc060e912cb2a8d1142c
91b7cfd1f9f08c24e17d730233b80d5f
9808b8430667f896bcc0cb132057a683
0c380d648c0c4b65ff66269e331a0f00
1f52ec40d3120014bb9c6858e3ba907f
a14794984c8f8ab03b21890ecd7b89cb
a2a9eeb3113a3e6958836e8226a8f78f
5c5c617b53f388176173768ae19952e8
ac5cb1c0be04e68c7aee9a4348b37195
C&C
hxxp://gitrok[.]com
hxxp://swapme[.]fun
hxxp://canvas[.]pet
hxxp://9x9o[.]com
193.233.203[.]138
150.241.93[.]90
Recommendations
FPT Threat Intelligence recommends several measures to prevent SilentCryptoMiner and similar threats for organizations in Vietnam:
Before downloading any tools, especially free VPNs or firewall bypass software, verify the origin of the file from official websites or reputable providers. Avoid downloading software from unclear links on social media, forums, or unreliable YouTube/Telegram channels.
Organizations should implement enterprise-level security solutions like Endpoint Detection and Response (EDR) to detect and block abnormal activities such as process hollowing or resource exploitation.
Train employees on cybersecurity, especially on recognizing phishing emails, malicious compressed files, and tactics that force disabling security.
Establish a policy prohibiting the installation of unapproved software on company devices.
References
SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools
