Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Dr.Web uncovers a large-scale fraud scheme worth thousands of dollars.
Dr.Web specialists have identified a large-scale campaign to distribute cryptomining malware and steal cryptocurrencies. The attackers disguised the malware as office applications, game cheats and online trading bots, distributing them through fake pages on GitHub and YouTube.
The program identified by experts was disguised as a Windows system component (StartMenuExperienceHost.exe) responsible for managing the Start menu. The malware actively interacted with the remote host and launched the cmd.exe command line interpreter to perform further actions.
The cybercriminals used the legitimate Ncat network utility, which is normally used to transfer data via the command line. Thanks to the discovery of this element, it was possible to reconstruct the chain of events and stop further spread.
Infection chain
The source of infections is fake pages on GitHub and YouTube, where users downloaded a self-extracting password-protected archive. Antiviruses cannot scan such archives because of their encryption. Inside the archive there were temporary files that were extracted into the computer's system folder and initiated the execution of malicious scripts.
Malicious links to download programs from GitHub and YouTube
After the scripts were executed, the AutoIt library was loaded, which was used to run malicious scripts. During the attack, the attackers also used the Process Hollowing technique, in which trusted system processes were replaced with malicious codes. This allowed hackers to secretly mine cryptocurrency and spoof wallet addresses on the clipboard, redirecting funds to their accounts. It is estimated that the attackers received more than $6000 in this way.
The campaign affected more than 28,000 people, mainly in Russia, Belarus, Kazakhstan, Ukraine and Turkey. To protect yourself, it is recommended to download programs only from official websites, use antivirus software and avoid pirated versions of applications.
Source
Dr.Web specialists have identified a large-scale campaign to distribute cryptomining malware and steal cryptocurrencies. The attackers disguised the malware as office applications, game cheats and online trading bots, distributing them through fake pages on GitHub and YouTube.
The program identified by experts was disguised as a Windows system component (StartMenuExperienceHost.exe) responsible for managing the Start menu. The malware actively interacted with the remote host and launched the cmd.exe command line interpreter to perform further actions.
The cybercriminals used the legitimate Ncat network utility, which is normally used to transfer data via the command line. Thanks to the discovery of this element, it was possible to reconstruct the chain of events and stop further spread.
Infection chain
The source of infections is fake pages on GitHub and YouTube, where users downloaded a self-extracting password-protected archive. Antiviruses cannot scan such archives because of their encryption. Inside the archive there were temporary files that were extracted into the computer's system folder and initiated the execution of malicious scripts.
Malicious links to download programs from GitHub and YouTube
After the scripts were executed, the AutoIt library was loaded, which was used to run malicious scripts. During the attack, the attackers also used the Process Hollowing technique, in which trusted system processes were replaced with malicious codes. This allowed hackers to secretly mine cryptocurrency and spoof wallet addresses on the clipboard, redirecting funds to their accounts. It is estimated that the attackers received more than $6000 in this way.
The campaign affected more than 28,000 people, mainly in Russia, Belarus, Kazakhstan, Ukraine and Turkey. To protect yourself, it is recommended to download programs only from official websites, use antivirus software and avoid pirated versions of applications.
Source
