Cybercriminals are using YouTube and associated Telegram channels to spread crypto miners such as SilentCryptoMiner disguised as tools for bypassing internet restrictions. By exploiting Windows Packet Divert (WinDivert) drivers, attackers trick users into downloading infected archives that inject malicious code into their systems.
Researchers discovered that some YouTubers have unknowingly helped distribute these files, while others have been blackmailed into sharing malicious links. With over 2.4 million detections in the past six months, the threat actors seem to have exploited YouTube and Telegram to the fullest.
In the campaign, attackers exploited the legitimate version of a deep inspection inspection (DPI) bypass tool. A YouTuber with 60,000 subscribers unknowingly spread the malicious archive by linking it in video descriptions. Over time, these videos accumulated over 400,000 views before the link was removed.
One particularly alarming tactic involved attackers impersonating the tool’s developers to file false copyright strikes against content creators. They then blackmailed these YouTubers, coercing them into posting links to malware-infected files under threat of losing their channels.
The infected files were also spread via Telegram, with one channel linked to a YouTube account boasting 340,000 subscribers.
The attack flow works in three stages. Each infected archiver discovered by researchers contained a modified start script (general.bat) that executed an additional malicious executable via PowerShell. If security software removed the malicious files, the script displayed deceptive error messages urging users to disable antivirus protection and re-download the file.
The malicious executable, a Python-based loader obfuscated with PyInstaller and PyArmor, retrieves a second-stage payload from hardcoded domains (canvas[.]pet and swapme[.]fun). This payload is only accessible from Russian IP addresses, indicating a geographically targeted campaign.
The second loader detects the sandbox, adds the AppData directory to Microsoft Defender exclusions, retrieves an executable from a command-and-control (c2) server, increases the file size to 690 MB to evade antivirus detection, and creates a system service named ‘DrvSvc’ to gain persistence.
The downloaded payload, named di.exe, is a SilentCryptoMiner variant based on XMRig. Researchers discovered that the miner’s configuration is encrypted using AES-CBC and remotely updated every 100 minutes via a Pastebin account to distribute configurations dynamically.
“The topic of restriction bypass tools is being actively exploited to distribute malware. The above campaign limited itself to distributing a miner, but threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware. This underscores once again that, while such tools may look enticing, they pose a serious threat to user data security,” researchers concluded.
In the News: Ransomware group claims 1.4 TB data stolen in Tata cyberattack
