SilentCryptoMiner-Based RAT and Mining Campaign Targeting Piracy Platforms
A long-running cybercrime campaign, active since at least 2022, leverages a highly customized fork of the SilentCryptoMiner malware to target users of high-traffic piracy platforms, including digital libraries and video streaming services. The attack vector utilizes social engineering through deceptive "plugin updates" or "browser patches" to facilitate DLL side-loading. The technical execution chain involves a stack overflow via a 'SmashStack' function, which triggers Return-Oriented Programming (ROP) chains to enable the decryption and reflective loading of a hybrid payload. This payload combines a cryptocurrency miner (targeting CPU/GPU) with a Remote Access Trojan (RAT) for persistent Command and Control (C2) access. The malware employs sophisticated evasion techniques, including the deletion of Microsoft's Malicious Software Removal Tool (mrt.exe), the addition of Windows Defender exclusions, and a dedicated watchdog module to protect the miner's integrity. C2 communications are obfuscated using AES-CBC encryption and DNS tunneling disguised as legitimate Microsoft telemetry, with domains generated via a MurmurHash64-based Domain Generation Algorithm (DGA).