This article discusses the rising utilization of Windows Packet Divert drivers to manipulate network traffic, leading to a surge in malware distribution disguised as legitimate software. Cybercriminals exploit these drivers to spread various malicious tools, including remote access Trojans and cryptocurrency miners, impacting users significantly. Affected: Windows systems, Russia, YouTube creators
Keypoints :
- Windows Packet Divert drivers are increasingly used for intercepting network traffic.
- Over 2.4 million detections of these drivers were logged in six months.
- Cybercriminals distribute malware disguised as programs for bypassing access restrictions.
- Common malware includes NJRat, XWorm, Phemedrone, and DCRat.
- Malware campaigns have affected thousands of victims, particularly in Russia.
- Attackers threatened YouTube creators to post links to malicious files.
- Infected archives contain modified installers that bypass security measures.
- Malicious payloads are often downloaded using Python-based loaders.
- The campaign highlights the risk of malware hidden within restriction bypass tools.
- Key techniques used within malware include process hollowing and remote control functionalities.
MITRE Techniques :
- T1060 – Windows Event Log Corruption: Attackers manipulate event logs to hide malicious activity.
- T1086 – PowerShell: Malicious scripts are executed using PowerShell.
- T1071.001 – Application Layer Protocol: The malware communicates via HTTP.
- T1059.001 – Command and Scripting Interpreter: Malicious code is executed through scripting languages like Python.
- T1090 – Connection Proxy: Attackers disguise their communications to avoid detection.
Indicator of Compromise :
- [Domain] gitrok[.]com
- [Domain] swapme[.]fun
- [Domain] canvas[.]pet
- [IP Address] 193.233.203[.]138
- [IP Address] 150.241.93[.]90
- [Hash] 574ed9859fcdcc060e912cb2a8d1142c91b7cfd1f9f08c24e17d730233b80d5f
Full Story: https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/