SIEM agent being used in SilentCryptoMiner attacks
Oct. 7, 2024, 9:33 a.m.
Tags
External References
Description
A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding malicious payloads in legitimate file signatures and abusing the Wazuh SIEM agent as a backdoor. The final payload injects the SilentCryptoMiner into explorer.exe to mine cryptocurrencies like Monero. The attackers use SEO poisoning, social engineering, and multiple persistence mechanisms to maintain access. While primarily focused on cryptomining, some variants can also steal cryptocurrency wallet addresses and take screenshots.
Date
Published: Oct. 7, 2024, 9:06 a.m.
Created: Oct. 7, 2024, 9:06 a.m.
Modified: Oct. 7, 2024, 9:33 a.m.
Indicators
4fc90290ee0c503c00448df7a3a84c1a88f07ba776dad08dfe43dd3e960d105c
http://nyaera.ru/wp-includes/uploads/art/utorrent.zip
http://nyaera.ru/wp-includes/uploads/My/MS-Excel.zip
trojan.bat.miner.id
sportjump.ru
nyaera.ru
gamejump.site
alljump.ru
Attack Patterns
SilentCryptoMiner
T1546.003
T1608.001
T1053.005
T1059.005
T1204.001
T1059.003
T1497
T1113
T1518.001
T1204.002
T1496
T1055
T1027
T1041
Additional Informations
Mozambique
British Indian Ocean Territory
Algeria
Uzbekistan
India
Belarus
Germany
Kazakhstan
Russian Federation