Malware, Phishing, Threat Intelligence

SilentCryptoMiner malware spread via YouTuber extortion

YouTube mobile logo app on a screen smartphone iPhone.

YouTubers creating videos on leveraging the increasingly popular Windows Packet Divert tools to circumvent Russian government-imposed internet restrictions are being blackmailed to distribute the SilentCryptoMiner malware, a variant of the XMRig cryptominer, via bogus copyright claims as part of a malware campaign, which has already impacted over 2,000 victims across Russia, BleepingComputer reports.

Attackers posing as WPD tool developers filed copyright claims against the YouTube creators, which could only be resolved by including new download links on their respective videos, an analysis from Kaspersky revealed.

Such links redirected to GitHub repositories with the trojanized WPD tools that deploy a Python-based malware loader through PowerShell.

Any interruption of the malicious tools' execution would trigger an error message luring targets to deactivate their antivirus systems and repeat file download and execution, which would prompt second-stage loader retrieval.

Aside from monitoring for sandbox and virtual machine environments, the oversized payload also disables Microsoft Defender and establishes a Windows service for persistence before delivering SilentCryptoMiner to compromise various cryptocurrency assets.

Such a technique could be adapted to facilitate more widespread campaigns, according to Kaspersky researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds