Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Kaspersky Lab has detected advanced SilentCryptoMiner attacks.
Kaspersky Lab specialists have identified a new large-scale campaign to distribute the hidden miner SilentCryptoMiner. The attacks affected users in several countries, including Russia, Belarus, India, Uzbekistan and Kazakhstan. The largest number of incidents was recorded on the territory of the Russian Federation.
A distinctive feature of this campaign is that the attackers used several unusual techniques to bypass detection and gain a foothold on users' systems, including the installation of the Wazuh open-source SIEM system agent. Experts note that the malicious campaign remains relevant today.
SilentCryptoMiner is a stealthy miner that uses the computing power of infected devices to mine cryptocurrencies such as Monero and Zephyr. The miner was distributed through fake sites offering free downloads of popular programs such as uTorrent, MS Excel, MS Word, Minecraft and Discord.
In addition, the attackers ran several Telegram channels for crypto wallet owners and cheat users. They offered to download thematic software, under the guise of which a hidden miner got onto a person's device. The spread of the malware via YouTube was also recorded - along with many English-language videos published from various accounts, probably hacked. In the descriptions of the videos and in the comments, there were links to fake resources.
To install the miner, users were offered to download an archive, which contained an MSI file for Windows and a text document with a password and instructions. In some cases, users were advised to disable antivirus programs before installing. At the same time, the program that the person was looking for, he did not receive. Instead, malware was installed on the device.
As a result of a complex chain of infection, a malicious script along with SilentCryptoMiner penetrated the user's device. A distinctive feature of the detected campaign was the use of the SIEM Wazuh agent by the attackers. This technique is aimed at bypassing detection by security solutions and gaining a foothold on users' devices. In addition, the SIEM system gave attackers the opportunity to gain remote control over the infected device, collect telemetry and send it to their C&C server.
Using malware that allowed attackers to install a miner on the victim's device, the attackers could also collect information about the computer and user name, OS version and architecture, processor name, GPU data, and installed antivirus software. This data was sent to a Telegram bot controlled by the attackers. Some versions of the malware could also take screenshots of the desktop or install browser extensions that were used to spoof cryptocurrency wallets.
Source
Kaspersky Lab specialists have identified a new large-scale campaign to distribute the hidden miner SilentCryptoMiner. The attacks affected users in several countries, including Russia, Belarus, India, Uzbekistan and Kazakhstan. The largest number of incidents was recorded on the territory of the Russian Federation.
A distinctive feature of this campaign is that the attackers used several unusual techniques to bypass detection and gain a foothold on users' systems, including the installation of the Wazuh open-source SIEM system agent. Experts note that the malicious campaign remains relevant today.
SilentCryptoMiner is a stealthy miner that uses the computing power of infected devices to mine cryptocurrencies such as Monero and Zephyr. The miner was distributed through fake sites offering free downloads of popular programs such as uTorrent, MS Excel, MS Word, Minecraft and Discord.
In addition, the attackers ran several Telegram channels for crypto wallet owners and cheat users. They offered to download thematic software, under the guise of which a hidden miner got onto a person's device. The spread of the malware via YouTube was also recorded - along with many English-language videos published from various accounts, probably hacked. In the descriptions of the videos and in the comments, there were links to fake resources.
To install the miner, users were offered to download an archive, which contained an MSI file for Windows and a text document with a password and instructions. In some cases, users were advised to disable antivirus programs before installing. At the same time, the program that the person was looking for, he did not receive. Instead, malware was installed on the device.
As a result of a complex chain of infection, a malicious script along with SilentCryptoMiner penetrated the user's device. A distinctive feature of the detected campaign was the use of the SIEM Wazuh agent by the attackers. This technique is aimed at bypassing detection by security solutions and gaining a foothold on users' devices. In addition, the SIEM system gave attackers the opportunity to gain remote control over the infected device, collect telemetry and send it to their C&C server.
Using malware that allowed attackers to install a miner on the victim's device, the attackers could also collect information about the computer and user name, OS version and architecture, processor name, GPU data, and installed antivirus software. This data was sent to a Telegram bot controlled by the attackers. Some versions of the malware could also take screenshots of the desktop or install browser extensions that were used to spoof cryptocurrency wallets.
Source
