The campaign distributes a miner and RAT through illegal movie, TV streaming, and digital library sites using fake updates, DLL side-loading, and persistence mechanisms. The activity appears active since at least 2022 and uses rotating domains, encrypted C2 traffic, and injected components to maintain control on infected systems. #SilentCryptoMiner #urush1bar4 #5d14vnfb #107.172.212.235
Keypoints
- The malware is spread through pirated streaming sites and digital libraries using a fake plugin update prompt.
- The initial ZIP archive contains a legitimate EXE and a malicious DLL, which uses DLL side-loading to run code.
- The malicious DLL decrypts a main module that is a modified fork of SilentCryptoMiner.
- The malware gathers system data and sends it via DNS tunneling before continuing execution.
- With elevated privileges, it disables security tools, adds Defender exclusions, stops MSRT, and configures persistence through GoogleUpdateTaskMachineQC.
- A Watchdog component protects the miner by monitoring the service and restoring files if tampering is detected.
- The RAT and miner infrastructure uses date-based rotating domains, encrypted payloads, and signed server responses.
MITRE Techniques
- [T1574.002] DLL Side-Loading â The malicious DLL is launched alongside a legitimate executable to execute attacker code in a trusted process context (âLaunching the EXE triggered a DLL side-loading mechanismâ).
- [T1055] Process Injection â The components are injected into target processes without writing to disk (âthe components are injected directly into the memory of the target processesâ).
- [T1055.012] Process Hollowing â The miner is launched through process hollowing inside explorer.exe (âpassed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowingâ).
- [T1001.003] Data Obfuscation: Protocol Impersonation â DNS traffic is crafted to look legitimate and hidden behind a microsoft.com-like domain (âdisguise the DNS query as legitimate trafficâ).
- [T1071.004] DNS â The malware transmits system data using DNS tunneling (âtransmitted as a single large DNS query using the DNS tunneling techniqueâ).
- [T1112] Modify Registry â Registry keys are created to prevent MSRT from being offered and to establish persistence (âDontOfferThroughWUAU parameter is createdâ and âadding an entry to HKEY_CURRENT_USERâŚRunâ).
- [T1562.001] Impair Defenses â Defender exclusions are added and MSRT is disabled to reduce detection (âadds Windows Defender exclusionsâ and âIt kills Microsoftâs Malicious Software Removal Toolâ).
- [T1105] Ingress Tool Transfer â The malicious archive is downloaded to the victim device (âClicking the link downloaded a ZIP archiveâ).
- [T1543.003] Create or Modify System Process: Windows Service â A service is created/used for persistence (âGoogleUpdateTaskMachineQC service is registered and configured to launch automaticallyâ).
- [T1053.005] Scheduled Task/Job: Scheduled Task â The GoogleUpdateTaskMachineQC mechanism is used to start automatically at boot (âconfigured to launch automatically at system startupâ).
- [T1003] OS Credential Dumping â Not mentioned in the article.
Indicators of Compromise
- [URL ] malicious archive download and delivery â urush1bar4[.]online, file[.]ipfs[.]us[.]69[.]mu
- [Domain ] RAT C2 domains generated from date-based rotation â 5d14vnfb[.]space, r7mvjl67[.]space, and 3 more domains
- [IP address ] configuration retrieval / miner infrastructure â 107[.]172[.]212[.]235
- [Hashes ] malicious DLL hash and related components â 6A0FE6065D76715FEEBC1526D456DB737F624407AE489324E96A708A09C17E6F02A43B3423367B9DDDC24CC7DFC070DF, and other hashes not specified
- [File names ] bundled and referenced files â HLS Installer.874.exe, mrt.exe
- [Registry keys / values ] persistence and defense evasion â HKLMSoftwarePoliciesMicrosoftMRTDontOfferThroughWUAU, HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- [Paths ] persistence and service-related file locations â C:ProgramDataGoogleChrome, %USERPROFILE%AppDataRoamingSandboxie
- [User-Agent / C2 parameters ] encrypted request/response parameters â authorization=1, AES-CBC keys and IVs used by the implant
Read more: https://securelist.com/video-books-pirates-miners-rat/119943/