Security researchers have recently unveiled a complex malware campaign that targets popular YouTubers, compelling them to disseminate SilentCryptoMiner malware under the guise of tools designed to bypass restrictions. This alarming initiative has already ensnared over 2,000 victims in Russia, with estimates suggesting that the actual number may be significantly higher.
The malware exploits Windows Packet Divert drivers, a technology that has gained traction in utilities aimed at circumventing access limitations. The increasing popularity of these bypass tools is underscored by over 2.4 million detections of such drivers on user devices within the last six months.
One particularly troubling tactic employed by the threat actors involves issuing copyright strikes to content creators regarding videos that provide instructions for using bypass tools. They then threaten to terminate the YouTubers’ channels unless they post videos linking to the infected files. This innovative blackmail strategy has effectively manipulated the reputations of well-known YouTubers with substantial followings.
In a documented instance, a YouTuber boasting 60,000 subscribers uploaded several videos detailing methods for bypassing restrictions, which included a link to a malicious archive in the description. These videos garnered over 400,000 views before the link was replaced with a message stating, “program does not work.” The original link directed users to gitrok[.]com, where the infected archive had been downloaded more than 40,000 times.
According to researchers at Securelist, the infection typically initiates with an archive containing a modified start script that executes a malicious executable via PowerShell. If security solutions remove the malicious file, the script prompts users to disable their antivirus protection, displaying a message that reads: “File not found, disable all antiviruses and re-download the file, that will help!”
Malware Chain
The technical infection chain is both multi-staged and sophisticated. The initial loader is crafted in Python and packaged into an executable using PyInstaller, often obfuscated with PyArmor. The first-stage loader incorporates code such as:
import os
import subprocess
import sys
import ctypes
import base64
cmb8F2SLqf1 = '595663786432497a536a424...335331453950513d3d'
decoded_hex = bytes.fromhex(cmb8F2SLqf1).decode()
step1 = base64.b64decode(decoded_hex).decode()
exec(base64.b64decode(step1).decode())This loader retrieves the second-stage payload from domains like canvas[.]pet or swapme[.]fun.
The malware employs anti-VM techniques, adds directories to defender exclusions, and downloads SilentCryptoMiner, which utilizes process hollowing to inject itself into system processes such as dwm.exe. This miner is capable of mining various cryptocurrencies and is designed to operate stealthily, pausing its activities when certain programs are active.
Security experts advise exercising extreme caution when utilizing restriction bypass tools, as they increasingly serve as conduits for sophisticated malware distribution.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
