A new malware campaign known as SilentCryptoMiner is targeting users by disguising itself as a tool for bypassing internet restrictions. This campaign leverages the Windows Packet Divert (WPD) tool to distribute the malware under the guise of helping users circumvent online service blocks. Researchers from Russian cybersecurity company Kaspersky report that this type of attack is becoming more common, with cybercriminals increasingly using WPD tools to distribute various types of malware. The malicious software is often distributed in archives that contain instructions urging users to disable their antivirus software, allowing the malware to persist undetected on the system.
SilentCryptoMiner specifically operates as a cryptocurrency miner, camouflaged as a tool designed to bypass deep packet inspection (DPI) restrictions. The malware has affected over 2,000 Russian users, with malicious links to download the infected software shared through YouTube channels. These links are often disguised to appear as legitimate, and attackers even go so far as to threaten channel owners with bogus copyright strikes to force them into posting the harmful links. The malicious links are distributed to users under the guise of providing a legitimate service, making it difficult for the average user to spot the threat.
Once the user downloads the infected archive, a Python-based loader is executed that retrieves the miner’s payload.
This loader works to maintain persistence on the infected system by checking if it’s running in a sandbox and configuring exclusions in Windows Defender to prevent detection. The miner itself is based on the open-source XMRig software but has been modified to evade detection. The malware artificially inflates its file size to 690 MB, making it harder for antivirus programs and sandboxes to analyze and flag it.
This clever technique adds an additional layer of stealth, allowing the miner to evade security measures and remain active longer.
To enhance its stealth capabilities, SilentCryptoMiner uses a technique called process hollowing, where the mining code is injected into trusted system processes like dwm.exe. This allows the malware to remain hidden within legitimate system operations. The miner has the ability to stop its mining activities when specific processes are active, further helping it evade detection. Additionally, it can be controlled remotely through a web panel, allowing attackers to monitor and manage the malware’s activities. These advanced tactics make SilentCryptoMiner a persistent and dangerous threat, and users must take care to protect themselves from falling victim to these increasingly sophisticated cybercriminal methods.
