SIEM agent being used in SilentCryptoMiner attacks

Oct. 7, 2024, 9:33 a.m.

Tags
seo poisoning
persistence
autoit
cryptomining
defense evasion
2024-10-07
silentcryptominer
siem
External References
Description

A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding malicious payloads in legitimate file signatures and abusing the Wazuh SIEM agent as a backdoor. The final payload injects the SilentCryptoMiner into explorer.exe to mine cryptocurrencies like Monero. The attackers use SEO poisoning, social engineering, and multiple persistence mechanisms to maintain access. While primarily focused on cryptomining, some variants can also steal cryptocurrency wallet addresses and take screenshots.

Date

Published: Oct. 7, 2024, 9:06 a.m.

Created: Oct. 7, 2024, 9:06 a.m.

Modified: Oct. 7, 2024, 9:33 a.m.

Indicators

4fc90290ee0c503c00448df7a3a84c1a88f07ba776dad08dfe43dd3e960d105c

http://nyaera.ru/wp-includes/uploads/art/utorrent.zip

http://nyaera.ru/wp-includes/uploads/My/MS-Excel.zip

Download all indicators here!

Attack Patterns

SilentCryptoMiner

T1546.003

T1608.001

T1053.005

T1059.005

T1204.001

T1059.003

T1497

T1113

T1518.001

T1204.002

T1496

T1055

T1027

T1041

Additional Informations

Mozambique

British Indian Ocean Territory

Algeria

Uzbekistan

India

Belarus

Germany

Kazakhstan

Russian Federation