A new large-scale malware campaign is actively targeting unsuspecting users with a cryptocurrency miner known as SilentCryptoMiner, disguised as a legitimate tool for bypassing internet restrictions and censorship.
According to Kaspersky, cybercriminals are leveraging Windows Packet Divert (WPD) tools to distribute malware, tricking users into believing they are downloading restriction-bypassing software.
"Such software is often bundled with installation instructions that advise users to disable security solutions due to alleged false positives. This benefits attackers, allowing them to infiltrate systems undetected," said researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev of Kaspersky.
Cybercriminals Using DPI Bypass Tools to Spread Malware
The tactic of disguising malware as VPN or DPI bypass tools has been widely used in past campaigns to distribute stealers, remote access trojans (RATs), and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.
The latest attack wave has compromised over 2,000 Russian users, with the miner being distributed as a fake deep packet inspection (DPI) bypass tool. Cybercriminals promoted the malicious software through a YouTube channel with 60,000 subscribers, directing users to a harmful archive file.
SilentCryptoMiner Escalates Attacks via YouTube and Telegram
Since November 2024, attackers have refined their tactics by impersonating developers of restriction bypass tools. They have also been seen issuing fake copyright strike warnings to YouTube channel owners, coercing them into sharing videos containing malicious download links under the threat of channel takedown.
By December 2024, reports emerged that the infected miner variant was spreading through multiple Telegram and YouTube channels, many of which have now been taken down.
How SilentCryptoMiner Operates
The malware is bundled within booby-trapped archives containing an extra executable. Attackers modify one of the legitimate batch scripts to launch the executable via PowerShell. If an installed antivirus detects and removes the malicious binary, users are misled by an error message prompting them to disable security software and re-download the file.
The attack chain follows these steps:
Python-based Loader: Executes a secondary Python script that downloads the SilentCryptoMiner payload.
Sandbox Evasion: The malware first verifies whether it's running in a virtualized environment.
Windows Defender Bypass: Configures exclusions to evade detection.
Payload Deployment: The miner, built on XMRig, is obfuscated with random data blocks to artificially inflate its file size to 690 MB, preventing automated security scans.
Key Takeaways and Security Recommendations
Avoid downloading VPN and DPI bypass tools from unverified sources.
Do not disable security software based on installation instructions.
Be cautious of YouTube and Telegram channels promoting software downloads.
Monitor system processes for unusual activity, particularly dwm.exe.
Keep antivirus and endpoint security solutions updated to detect emerging threats.
As cybercriminals continuously evolve their tactics, users must stay vigilant against deceptive malware campaigns exploiting trust in privacy-enhancing tools.