While trying to deliver malware on victims’ devices and stay on them as long as they can, sometimes attackers are using quite unusual techniques. In a recent campaign starting in 2022, unknown malicious actors have been trying to mine cryptocurrency on victims’ devices without user consent; they’ve used large amounts of resources for distribution, but what’s more, used multiple unusual vectors for defense evasion and persistence. One of these vectors was abusing the open-source SIEM “Wazuh” agent.
We are quite sure that this campaign was a global one, but in this article, we’ll focus on an infection chain that, according to our telemetry, was targeting mainly Russian-speaking users. The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. These websites were shown to users in the top search results in Yandex. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling.
Infection
The attackers were advertising their websites in Yandex search results. Users would see these malicious sites in the top results when searching for resources freely distributing popular software like uTorrent, MS Excel, MS Word, Minecraft, Discord and so on.
Links to malicious websites in Yandex search results
The frontend of these websites is a copy of either the official software website or a known piracy website distributing this kind of software:
Malicious websites
The attacker ..
Support the originator by clicking the read the rest link below.
