Undercover Miner: How Youtubers Get Pressed Into Distributing Silentcryptominer As A Restriction Bypass Tool
Thumbnail
This article discusses the rising utilization of Windows Packet Divert drivers to manipulate network traffic, leading to a surge in malware distribution disguised as legitimate software. Cybercriminals exploit these drivers to spread various malicious tools, including remote access Trojans and cryptocurrency miners, impacting users significantly. Affected: Windows systems, Russia, YouTube creators

Keypoints :

  • Windows Packet Divert drivers are increasingly used for intercepting network traffic.
  • Over 2.4 million detections of these drivers were logged in six months.
  • Cybercriminals distribute malware disguised as programs for bypassing access restrictions.
  • Common malware includes NJRat, XWorm, Phemedrone, and DCRat.
  • Malware campaigns have affected thousands of victims, particularly in Russia.
  • Attackers threatened YouTube creators to post links to malicious files.
  • Infected archives contain modified installers that bypass security measures.
  • Malicious payloads are often downloaded using Python-based loaders.
  • The campaign highlights the risk of malware hidden within restriction bypass tools.
  • Key techniques used within malware include process hollowing and remote control functionalities.

MITRE Techniques :

  • T1060 – Windows Event Log Corruption: Attackers manipulate event logs to hide malicious activity.
  • T1086 – PowerShell: Malicious scripts are executed using PowerShell.
  • T1071.001 – Application Layer Protocol: The malware communicates via HTTP.
  • T1059.001 – Command and Scripting Interpreter: Malicious code is executed through scripting languages like Python.
  • T1090 – Connection Proxy: Attackers disguise their communications to avoid detection.

Indicator of Compromise :

  • [Domain] gitrok[.]com
  • [Domain] swapme[.]fun
  • [Domain] canvas[.]pet
  • [IP Address] 193.233.203[.]138
  • [IP Address] 150.241.93[.]90
  • [Hash] 574ed9859fcdcc060e912cb2a8d1142c91b7cfd1f9f08c24e17d730233b80d5f


Full Story: https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/