Unveiling Cryptocurrency Malware on YouTube: A Comprehensive Analysis of Mining Threats

MITRE Techniques

• [T1059.003] Windows Command Shell – The malware uses a script-driven installer (NSIS) to orchestrate payload deployment. Quote: “The original malware sample comes as a RAR archive with the password ‘1234’.” and “NSIS (Nullsoft Scriptable Install System)”.
• [T1569.002] Service Execution – ghub.exe is registered and runs as a Windows service to establish persistence. Quote: “ghub.exe runs as the service” and “registers as service to start and executes the executable”.
• [T1204.001] Malicious Link – The download URL is hosted on a YouTube About page, acting as a deceptive link to the payload. Quote: “The URL shared on this page is for the GitHub repository…”
• [T1024.002] Malicious File – The payload is delivered as a compressed archive containing executables like AutoInstall.exe. Quote: “The original malware sample comes as a RAR archive…”
• [T1547.001] Registry Run Keys / Startup Folder – The malware configures startup behavior and auto-launch mechanisms. Quote: “enabling persistence… as a startup service”.
• [T1543.003] Windows Service – ghub.exe is installed as a system service for persistence. Quote: “registers as service to start and executes the executable”.
• [T1653] Power Settings – The malware alters the system power settings to keep the system running. Quote: “altering the power setting of the system”.
• [T1622] Debugger Evasion – The malware employs anti-debugging measures and stealth operations. Quote: “anti-debugging techniques and follows a stealth operation process”.
• [T1562.001] Disable or Modify Tools – Modifies tools/defender exclusions as part of its defense. Quote: “adding the executable (.exe) files as an exception from Windows Defender scanning”.
• [T1562.002] Disable Windows Event Logging – Disables or alters event logging to evade traces. Quote: “stops the system Event Logging”.
• [T1070.004] File Deletion – Deletes artifacts and self-deletes after cleanup. Quote: “deleting a service subkey ‘ghub’ from the registry” and “deletes itself”.
• [T1055.012] Process Hollowing – Injects into legitimate processes (conhost.exe, dwm.exe) via hollowing techniques. Quote: “process hollowing, creates a process (NtCreateUserProcess) conhost.exe in suspended state, injects the code”.
• [T1497] Virtualization/Sandbox Evasion – Uses virtualization/sandbox evasion techniques to avoid analysis. Quote: “Virtualization/Sandbox Evasion”.
• [T1071.001] Web Protocols – Communicates with C2 over web protocols and reports status. Quote: “Communicate with C2 with status update and receive instruction”.
• [T1496] Resource Hijacking – The miner exploits system resources for cryptocurrency mining. Quote: “Crypto-Mining: The final stage” and capabilities list including resource hijacking.
• [T1489] Service Stop – Stops or disables services such as MRT and Windows Update services. Quote: “disabling Windows update services” and “Uninstalls Windows MRT (Malicious Software Removal Tool) update”.