Security researchers at Kaspersky have warned about a campaign distributing malware containing the SilentCryptoMiner cryptocurrency mining code targeting users in Russia. The research shows that attackers have exploited legitimate tools like Windows Packet Divert to bypass internet censorship layers and spread SilentCryptoMiner to victims.

Phase 1: Infection Setup

Quick statistics indicate that Kaspersky has identified over 2,000 people in Russia as victims of this malware distribution campaign. The cryptocurrency mining programs (miners) are disguised by hackers as tools to bypass blocking measures based on Deep Packet Inspection (DPI) techniques. One method of distributing these tools is through entertainment channels or social networks with large user bases, such as YouTube and Discord. Researchers discovered a YouTuber with over 60,000 followers who recently uploaded videos on how to install and use this malware on their channel. Notably, these videos have attracted over 400,000 views, and there have been more than 40,000 visits to the malicious website from links included in the video descriptions.

Figure 1: Malicious website gitrok[.]com

The software containing cryptocurrency mining malware is distributed by attackers through repositories on the website gitrok[.]com. These repositories contain additional executable files, and the contents of the general.bat file are modified to run in Powershell. In some cases, if the victim's computer security software detects these malicious files and initiates a removal process, a fake message immediately appears saying, "File not found, disable all antivirus and re-download the file, that will help!" This is intended to trick users into disabling their security software and executing the malicious file.

Figure 2: Comparison of the contents of the general.bat file between the original (left) and the attacker's version (right)

Upon further investigation, Kaspersky's security researchers discovered that the malicious executable file is written in Python and packaged into an executable application using PyInstaller. In some other variants, the code in this malicious file may be obfuscated using the PyArmor library, making it harder for security solutions to detect when analyzing the logic of the code. This loader then queries one of two domains that can only be accessed if the victim's IP is from Russia: canvas[.]pet or swapme[.]fun, downloads a malicious payload named t.py, and saves the payload in a temporary directory on the system before launching the malicious payload.

Stage 2: Infection and Establishing Persistence

In the next stage, a loader written in Python based on customized open-source code is used to execute the following steps:

Step 1: Detect Virtualization and Sandbox Environments

• The loader scans the system to check if it is running in a virtual machine (VM) or sandbox analysis environment.

• It compares system data such as computer name, username, MAC address, drive ID (HWID), and GPU specifications with a list of values used by virtual environments.

• If it detects the system is running in a VM or sandbox, the malware will self-destruct or change its behavior to avoid analysis.

Step 2: Add the AppData folder to Microsoft Defender's exclusion list

• To avoid detection and removal, this loader will modify the configuration of security software like Microsoft Defender to skip scanning the AppData folder, then store the payloads in this folder.

Step 3: Download malicious payloads from the C2 server

• The loader connects to the C2 server, sending a request to the address http://192.233.203[.]138/WjEjoHCj/t

• Depending on the server's response (true/false) and a random probability, the loader will perform one of two actions: Download an executable file from http://9×9o[.]com/q.txt or Decode a Base64 data segment available in the script.

• The received file will be saved at the path: %LocalAppData%\driverpatch9t1ohxw8\di.exe

Step 4: Modify di.exe to avoid analysis

• After being downloaded, the loader will modify di.exe by adding random data blocks to the end of the file, causing the file size to swell up to 690 MB.

• This technique is called file padding, which helps the malware avoid analysis by antivirus software and sandboxes, as these tools often skip large files.

Step 5: Establish a persistence mechanism

• To help the malware remain hidden and undetected by users, the loader creates a Windows service named DrvSvc. It then sets the description of this service to match that of the legitimate Windows Image Acquisition (WIA) service, which is used for processing images from cameras and scanners.

      svc_name = "DrvSvc"
      svc_desc = "Launches applications associated with still image acquisition events."
      cmd_create = f'sc create {svc_name} binPath= "{exe_path}" start= auto'
      cmd_desc = f'sc description {svc_name} "{svc_desc}"'
  

SilentCryptoMiner

Researchers have identified the file di.exe as a variant of SilentCryptoMiner, based on the open-source cryptocurrency mining malware XMRig. This is known as a covert mining tool (convert miner), and this malware can mine various cryptocurrencies like ETH, ETC, XMR, RTM, etc., using different algorithms. The activities of di.exe after launching on the victim's system can be listed as follows:

• 1. Disguised using Process Hollowing technique

     • SilentCryptoMiner doesn't run directly but uses the Process Hollowing technique to inject mining code into a legitimate system process.

     • In this case, it injects into the dwm.exe process (Desktop Window Manager – a legitimate Windows process). This helps it avoid detection by antivirus software and system monitoring tools.

     2. Stops mining when a specified application is running

        • SilentCryptoMiner can pause its activity if it detects certain specific processes running. The list of these processes is defined in the configuration file.

        • This is a way to avoid detection, as it can stop mining when the user opens Task Manager, Process Explorer, or performance monitoring software.

     3. Remote control via Web Panel

        • The attacker can manage and control the miner remotely through a web panel. This allows them to change settings, monitor mining performance, and control multiple infected machines.

     4. Configuration encryption

        • SilentCryptoMiner's configuration is encrypted using Base64 encryption with the AES-ECB algorithm with two values: Key UXUUXUUXUUCommandULineUUXUUXUUXU and IV UUCommandULineUU.

        • This configuration contains important information such as: the algorithm and URL of the mining pool; the list of programs that cause the mining process to pause and release resources; remote config setup information, which is updated at specific intervals.

        --algo=rx/0  --url=150.241.93[.]90:443 --user="JAN2024" --pass="JAN2024" --cpu-
        max-threads-hint=20 --cinit-remote-config="https://pastebin.com/raw/kDDLXFac" --
        cinit-stealth-
        targets="Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe" --
        cinit-version="3.2.0" --tls --cinit-idle-wait=4 --cinit-idle-cpu=30 --cinit-
        id="uvduaauhlrqdhmpj"

Conclusion

Tools that help bypass legitimate access restrictions are being actively exploited to spread malware. The attack campaign mentioned above primarily distributes cryptocurrency miners, but attackers can expand this method to carry out more complex attacks, including data theft and downloading other types of malware. This once again emphasizes that with the daily advancement of technology, cyberspace always contains potential risks that can have serious consequences for user data security.

IOCs

• Infected archives

• PyInstaller loaders

• Malicious Python scripts

• SilentCryptoMiner

• Malicious domains and IPs

References

1. SECUREList report: https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/