In recent months, the landscape of network traffic management on Windows systems has witnessed a notable shift, particularly within Russia. The use of Windows Packet Divert drivers, which allow users to intercept and modify network traffic, has surged dramatically. Between August 2023 and January 2024, detections of these drivers have nearly doubled, primarily driven by their application in tools aimed at circumventing access restrictions to foreign resources.
This rising trend has not escaped the attention of cybercriminals, who have begun to exploit the situation by distributing malware disguised as these bypassing tools. A particularly concerning tactic involves blackmailing bloggers to promote these malicious programs. Consequently, viewers of videos titled “How to bypass restrictions…” should exercise heightened caution, as even well-regarded content creators may inadvertently share harmful software, including stealers and miners.
Hackers disguised as honest developers
Numerous software solutions exist to help users bypass access restrictions to foreign platforms, yet they often share a common origin: small-time developers. These programs tend to gain traction organically; an enthusiastic coder crafts a solution, shares it with friends, and creates a video tutorial. Suddenly, an unknown programmer can become a celebrated figure within the community, amassing thousands of stars on GitHub as users express gratitude for restoring access to their beloved online resources. However, this phenomenon has also been exploited by cybercriminals who boost GitHub repositories containing malware.
With potentially dozens or even hundreds of such developers emerging, questions arise regarding their trustworthiness. A significant warning sign is when these developers suggest disabling antivirus protection. Allowing a potential hacker access to your device by disabling security measures is a perilous gamble.
Behind the façade of a benevolent developer may lurk a hacker seeking profit. Unprotected devices become susceptible to various malware families, including NJRat, XWorm, Phemedrone, and DCRat, which are frequently disseminated alongside these bypassing tools.
Where do bloggers fit in?
Our investigation has uncovered an active campaign distributing miners that has affected at least two thousand victims in Russia. One notable source of infection was a YouTube channel boasting 60,000 subscribers. The blogger posted several videos on bypassing restrictions, complete with a link to a malicious archive in the description. These videos collectively garnered over 400,000 views. Eventually, the channel owner removed the link, leaving behind a note stating: “Download the file here: (program does not work)”. Initially, the link directed users to a fraudulent site, gitrok[.]com, where the infected archive was hosted. At the time of our study, the bypassing tool had been downloaded over 40,000 times.
It’s essential not to place all the blame on the bloggers; in this instance, they were merely following the directives of cybercriminals without realizing the implications. The process typically unfolds as follows: criminals file a complaint against a video discussing a restriction-bypassing tool, posing as the software’s developers. They then persuade the video creator to upload a new video, this time linking to their malicious website, claiming it is the sole official download page. Unbeknownst to the bloggers, this site distributes malware, specifically an archive containing a miner. For those who have already posted multiple videos on the topic, refusal is not an option, as hackers threaten to file additional complaints that could lead to channel deletion.
Furthermore, these criminals disseminate their malware and installation instructions through various Telegram and YouTube channels. While many of these channels have been removed, the potential for new ones to emerge remains unimpeded.
What about the miner?
The malware in question is a variant of SilentCryptoMiner, which we previously discussed in October 2024. This stealthy miner, based on the open-source mining tool XMRig, supports the mining of several popular cryptocurrencies, including ETH, ETC, XMR, and RTM. The malware is designed to halt mining activities upon detecting specific processes, a list that criminals can modify remotely to evade detection. This capability renders it nearly impossible to identify without robust protection.
For further insights into the malicious archive and its persistence within systems, please refer to our detailed post on Securelist.
How to protect yourself from miners
- Ensure that all personal devices have trusted protection to safeguard against miners and other malware.
- Avoid downloading programs from obscure or little-known sources. Stick to official platforms, but remain vigilant—malware can infiltrate even reputable sites.
- Keep in mind that even the most reputable bloggers can unknowingly spread malware, including miners and stealers.
Here are some relevant articles you can read to learn more about miners and their dangers:
- Mario Forever, malware too: a free game with a miner and Trojans inside
- XMRig Miner as a New Year’s gift
- Prices down, miners up
