SilentCryptoMiner

By visiting pirated movie and TV show streaming sites, users are met with a fake alert claiming their video player plugin is out of date. One click on that fake update button kicks off an infection.

The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue. Clicking the link downloaded a ZIP archive.

operators retain full authority to run arbitrary commands or custom shellcode remotely

powercfg / x - hibernate - timeout - ac 0 ... powercfg / x - standby - timeout - dc 0

a hidden function inside the file actively triggers a strategic stack overflow ... This overflow systematically builds a customized return-oriented programming chain to decrypt the primary payload

users attempting to watch videos encounter a deceptive alert about an outdated application ... fake browser crash pages to trigger downloads ... Once a victim runs the installer, an intricate execution process unfolds silently

Актуальная версия загружаемого вредоносного ПО представляет собой ZIP-архив, содержащий легитимный .exe-файл и вредоносную DLL-библиотеку. При запуске исполняемого файла библиотека подгружается в его процесс, после чего начинается выполнение вредоносной логики.

To prevent MSRT from being automatically installed during the next update, the DontOfferThroughWUAU parameter is created with a value of 1 under the HKLM\Software\Policies\Microsoft\MRT registry key.

To stay on the device, the malware registers itself as a fake Google service named GoogleUpdateTaskMachineQC, which launches automatically at every system startup.

...настраивается автозагрузка копии майнера из этой папки путем добавления записи в HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Once full control is established, the malware injects separate sub-components into core processes

The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.

To stay on the device, the malware registers itself as a fake Google service named GoogleUpdateTaskMachineQC, which launches automatically at every system startup.

...настраивается автозагрузка копии майнера из этой папки путем добавления записи в HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

standard user runs will continuously trigger intrusive privilege prompts . This aggressive routine loops every three minutes until the victim yields control

the malicious library file contains significant amounts of generated junk code . This random data deliberately inflates the asset size to frustrate automated sandbox analysis

the attackers craft custom network packets to disguise this traffic as standard communication . For instance, the outbound queries mimic connections to legitimate domains like microsoft.com

Once full control is established, the malware injects separate sub-components into core processes

The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.

It kills Microsoft's Malicious Software Removal Tool (MSRT) by calling ZwSetInformationFile with the FileDispositionInformation type, which causes the mrt.exe file to be deleted upon closing.

Only after receiving a specific approval signal from the server does the malware proceed, showing that attackers carefully filter targets to avoid tripping security test environments.

this shellcode reflectively loads the main module completely inside system memory

To prevent MSRT from being automatically installed during the next update, the DontOfferThroughWUAU parameter is created with a value of 1 under the HKLM\Software\Policies\Microsoft\MRT registry key.

the main module gathers basic processor metadata and disk serial numbers

Only after receiving a specific approval signal from the server does the malware proceed, showing that attackers carefully filter targets to avoid tripping security test environments.

The command-and-control addresses used to receive these commands follow this format: http://{domain}.space/index.php?authorization=1

Адреса управления, с которых происходит получение команд, имеют следующий вид: http://{domain}.space/index.php?authorization=1

It then transmits this hardware information by utilizing advanced DNS tunneling techniques

The decrypted data contains a malicious payload, as well as its RSA-SHA256 signature... The table below lists the four remote control commands... 2 Reflexive execution of the provided PE file within the explorer.exe process 3 Execution of the provided shellcode

a remote access trojan agent handles direct operator communications ... operators retain full authority to run arbitrary commands or custom shellcode remotely

This agent utilizes dynamically generated domains to receive administrative instructions

The core payload is a modified version of an open-source cryptocurrency miner called SilentCryptoMiner. Once active, it silently uses the victim’s CPU and GPU to mine cryptocurrency without the user noticing.

If running with administrator rights, the threat disables built-in operating system security utilities . It actively deletes Microsoft’s Malicious Software Removal Tool