Full Report
Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos. [...]
Analysis Summary
# Tool/Technique: SilentCryptoMiner
## Overview
SilentCryptoMiner is a cryptocurrency mining malware observed being distributed through extortion scams targeting YouTubers. Threat actors use copyright strike threats against content creators to coerce them into embedding malicious links or files in their videos or descriptions, leading to the download and execution of the miner. The primary goal is to secretly mine cryptocurrencies like ETH, ETC, XMR, and RTM on the victims' machines.
## Technical Details
- Type: Malware family (Cryptominer)
- Platform: Windows
- Capabilities: Cryptocurrency mining (ETH, ETC, XMR, RTM), antivirus/sandbox evasion, persistence via Windows Service, dynamic configuration updates.
- First Seen: Undetermined (Information based on a recent Kaspersky report referencing observed activity).
## MITRE ATT&CK Mapping
*Note: Since the article describes a campaign leveraging multiple steps, the mapping reflects the observed behaviors.*
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0005 - Defense Evasion**
- T1027.002 - Obfuscated Files or Information: Software Packing (Size bloating of payload)
- T1055.012 - Process Injection: Process Hollowing
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling Microsoft Defender)
- **TA0011 - Command and Control**
- T1003 - OS Credential Dumping (Implied by general malware behavior, but not explicitly detailed for this stage)
- **TA0008 - Lateral Movement** (Not explicitly detailed)
- **TA0010 - Exfiltration** (Not explicitly detailed)
## Functionality
### Core Capabilities
- **Initial Infection:** Deployed via a Python-based malware loader initiated by a modified 'general.bat' script using PowerShell.
- **Geofencing:** The initial loader fetches the second-stage payload only for Russian IP addresses.
- **Persistence:** Creates a Windows service named 'DrvSvc'.
- **Payload Delivery:** Downloads the final payload, SilentCryptoMiner, which is a modified version of XMRig.
### Advanced Features
- **Evasion via Bloating:** The second-stage loader executable is bloated to 690 MB to bypass static analysis by antivirus solutions.
- **Anti-Analysis:** Includes checks against virtual machines and sandboxes.
- **Defense Disablement:** Automatically adds an exclusion to Microsoft Defender to prevent disruption.
- **Process Injection:** Injects the final miner into a legitimate system process, such as `dwm.exe`, using process hollowing.
- **Dynamic Updates:** Fetches remote configurations from Pastebin every 100 minutes for dynamic updates.
- **Operational Evasion:** Pauses mining activity when system monitoring tools like Process Explorer and Task Manager are launched.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `general.bat` (start script), final payload executable.
- Registry Keys: [Not provided in the text]
- Network Indicators: Pastebin URLs (source for configuration updates)
- Behavioral Indicators: Creation of a Windows service named 'DrvSvc'; disabling Microsoft Defender via exclusion; process injection into `dwm.exe`; high CPU/resource usage indicative of cryptocurrency mining; launching processes under non-standard parent processes.
## Associated Threat Actors
The actors distributing the malware are criminals using extortion (copyright strikes) against YouTubers as an initial vector tactic. Specific threat actor groups are not named, only that the campaign heavily affected Russian victims according to telemetry.
## Detection Methods
- Signature-based detection: Detecting known hashes of the Python loader or the final XMRig variant.
- Behavioral detection: Monitoring for the creation of a new high-privilege service ('DrvSvc'), disabling Windows Defender features, or process hollowing into system binaries like `dwm.exe`.
- YARA rules: Rules targeting the characteristic size bloating or specific strings related to the XMRig modification.
## Mitigation Strategies
- Avoid downloading/executing software or scripts linked in YouTube video descriptions, especially from channels potentially subject to blackmail or scams.
- Implement strict application allow-listing policies.
- Ensure comprehensive endpoint detection and response (EDR) solutions capable of detecting process injection (like process hollowing) and service creation.
- Monitor for automatic disabling of security features like Microsoft Defender exclusions.
## Related Tools/Techniques
- XMRig (Base technology for the miner)
- Other malware distributed via social engineering/software bundling.