New Wave of SilentCryptoMiner Attacks Detected in Eurasia

Experts from Kaspersky Lab have uncovered a new large-scale campaign involving the distribution of the stealthy SilentCryptoMiner. The attacks have affected users in several countries, including Russia, Belarus, India, Uzbekistan, and Kazakhstan, with the majority of incidents recorded within Russia.

What sets this campaign apart is the use of several unconventional techniques to evade detection and persist within users’ systems, notably the installation of the open-source Wazuh SIEM agent. Specialists highlight that this malicious campaign remains active to this day.

SilentCryptoMiner is a hidden cryptocurrency miner that exploits the computational power of infected devices to mine cryptocurrencies such as Monero and Zephyr. The miner was distributed via fake websites offering free downloads of popular programs, including uTorrent, MS Excel, MS Word, Minecraft, and Discord.

Moreover, the attackers operated several Telegram channels targeting cryptocurrency wallet owners and users of cheat software. These channels offered themed software, under the guise of which the hidden miner would be installed on the victim’s device. There were also reports of the malware being spread through YouTube, where numerous English-language videos were posted from various accounts—likely hacked. The video descriptions and comments contained links to counterfeit resources.

To install the miner, users were prompted to download an archive, inside which was an MSI file for Windows, along with a text document containing a password and instructions. In some cases, users were advised to disable their antivirus software before proceeding with the installation. The program the user sought was never delivered. Instead, malicious software was surreptitiously installed on the device.

Through a complex infection chain, a malicious script along with SilentCryptoMiner infiltrated the user’s system. A distinctive feature of this campaign was the use of the Wazuh SIEM agent by the attackers. This technique was aimed at evading detection by security solutions and securing a foothold on users’ devices. Additionally, the SIEM system granted the attackers remote control over the compromised device, allowing them to collect telemetry data and transmit it to their command server.

Using the malware, which enabled the attackers to install the miner on the victim’s device, they were also able to gather information such as the computer’s name and user, OS version and architecture, processor name, GPU details, and installed antivirus software. This data was sent to a Telegram bot controlled by the attackers. Some versions of the malware were also capable of capturing screenshots of the desktop or installing browser extensions, which were used to hijack cryptocurrency wallets.