New Crypto Miner Malware Tricks Users into Disabling Security

A new mass malware campaign is infecting unsuspecting users with SilentCryptoMiner, a cryptocurrency miner that disguises itself as a tool to bypass internet restrictions.

According to Russian cybersecurity firm Kaspersky, cybercriminals are increasingly using Windows Packet Divert (WPD) tools to distribute malware while posing as developers of legitimate software.

This deceptive malware campaign tricks users into disabling their security software before installation. The malicious archive includes fake installation instructions that claim antivirus solutions may flag the program falsely, encouraging users to turn off security protections.

Once installed, SilentCryptoMiner secretly runs in the background, using the infected computer’s processing power to mine cryptocurrency.

This tactic is not new. It has been used in the past to spread various forms of malware, including:

• Remote Access Trojans (RATs) – Enable attackers to control systems remotely.
• Data Stealers – Extract sensitive user credentials and personal information.
• Trojan Malware – Grants hidden backdoor access to hackers.
• Cryptocurrency Miners – Hijack system resources to mine digital currencies.

SilentCryptoMiner is the latest evolution of this attack method, with over 2,000 Russian users reportedly compromised.

Cybercriminals are now exploiting popular platforms to distribute malware. In November 2024, attackers began impersonating software developers and targeting YouTube creators with fake copyright strike threats.

They demanded that channel owners post videos containing links to malicious software, threatening to shut down their channels if they refused.

By December 2024, SilentCryptoMiner was also spreading through Telegram channels and other YouTube accounts, prompting some platforms to shut down infected distribution channels.

How SilentCryptoMiner Evades Detection

The malware is delivered in a booby-trapped archive that contains an extra executable file hidden inside a seemingly legitimate installation script.

If an antivirus program detects and removes the malware, the victim is shown an error message, urging them to disable security protections and reinstall the file.

Once successfully executed, the malware follows a multi-stage attack process:

1. Python-based loader executes the next-stage payload
2. SilentCryptoMiner is downloaded and establishes persistence
3. The program checks if it’s running in a virtual environment or sandbox
4. Windows Defender exclusions are configured to avoid detection

SilentCryptoMiner is based on XMRig, an open-source cryptocurrency mining software. However, it has been modified to avoid detection in the following ways:

• File Size Inflation: The malware file is artificially expanded to 690 MB using random data blocks to make it difficult for antivirus tools to scan.
• Process Hollowing: The miner’s code is injected into a legitimate system process (dwm.exe) to conceal its presence.
• Dynamic Control: The malware pauses mining operations when specific processes are running, preventing users from noticing performance issues.
• Remote Control: Attackers can manage the malware via a web panel, allowing them to update configurations or activate additional functions remotely.

How to Stay Safe from SilentCryptoMiner and Similar Malware

To protect against SilentCryptoMiner and other malicious mining campaigns, follow these security best practices:

• Never disable your antivirus software when installing third-party tools.
• Download software only from official websites and verified sources.
• Be cautious of YouTube and Telegram links promoting restriction bypass tools.
• Monitor system performance for unusual slowdowns, overheating, or high CPU usage.
• Regularly update security software to detect and remove emerging threats.

SilentCryptoMiner is the latest example of how cybercriminals are evolving their tactics to exploit users under false pretenses. By posing as legitimate tools and leveraging social engineering, they can infiltrate systems, evade detection, and profit at the victim’s expense.

Users should remain vigilant, follow safe browsing practices, and ensure that security solutions remain active at all times to defend against these increasingly sophisticated threats.