Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a

[harlan4096]

In recent months, we’ve seen an increase in the use of Windows Packet Divert drivers to intercept and modify network traffic in Windows systems. This technology is used in various utilities, including ones for bypassing blocks and restrictions of access to resources worldwide. Over the past six months, our systems have logged more than 2.4 million detections of such drivers on user devices.
 
The growing popularity of tools using Windows Packet Divert has attracted cybercriminals. They started distributing malware under the guise of restriction bypass programs and injecting malicious code into existing programs.



Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives. This plays into the hands of attackers by allowing them to persist in an unprotected system without the risk of detection. Most active of all have been schemes for distributing popular stealers, remote access tools (RATs), Trojans that provide hidden remote access, and miners that harness computing power to mine cryptocurrency. The most commonly used malware families were NJRat, XWorm, Phemedrone and DCRat.

Blackmail as a new infection scheme

We recently uncovered a mass malware campaign infecting users with a miner disguised as a tool for bypassing blocks based on deep packet inspection (DPI). The original version of the tool is published on GitHub, where it has been starred more than 10,000 times. There is also a separate project based on it that is used to access Discord and YouTube.

According to our telemetry, the malware campaign has affected more than 2,000 victims in Russia, but the overall figure could be much higher. One of the infection channels was a YouTuber with 60,000 subscribers, who posted several videos with instructions for bypassing blocks, adding a link to a malicious archive in the description. These videos have reached more than 400,000 views. The description was later edited and the link replaced with the message “program does not work”.

Continue Reading...