Ddos 
Attack flow | Image: ASEC
In a new and deeply evasive malware campaign, cybercriminals are leveraging the PyBitmessage protocol to hide a backdoor payload distributed alongside a Monero coinminer. Researchers at the AhnLab Security Intelligence Center (ASEC) uncovered the campaign, highlighting how the attackers cleverly exploit peer-to-peer (P2P) encrypted communications to bypass conventional detection mechanisms.
The malicious chain begins with a top-level file that contains encrypted resources—including both the Monero coinminer and the backdoor malware. Once executed, the malware decrypts its payload using XOR operations, then drops critical components into a temp folder:
- config.json
- WinRing0x64.sys
- idle_maintenance.exe
These components enable the illicit mining of Monero, a cryptocurrency known for its strong privacy features.
“Monero coinminers exploit the strong anonymity of the Monero cryptocurrency to secretly use infected system resources for mining, thereby profiting the threat actor,” the report states.
What sets this attack apart is its use of PyBitmessage, a decentralized and encrypted messaging protocol. Traditionally intended for anonymous communication, threat actors have turned PyBitmessage into a stealthy Command & Control (C2) channel.
“C2 commands and control messages are hidden within messages from real users in the Bitmessage network, making it very difficult for detection products to classify this communication as malicious behavior,” the report notes.
Upon infection, a malicious PowerShell backdoor is executed in memory. This script attempts to download a PyBitmessage executable—first from GitHub, then from a secondary file-sharing service believed to be based in Russia. Once downloaded, it installs itself using PyInstaller and initiates communication through port 8442 on the local system.
The agent sits quietly until it receives instructions disguised as user messages from the Bitmessage network. These messages are parsed and executed as PowerShell scripts—further embedding the attacker in the system.
To evade detection, the threat actor tampers with legitimate components such as QtGui4.dll, patching it to disable its standard behavior, likely to bypass behavioral analysis tools. Because the communication and backdoor functions are wrapped inside a legitimate-looking framework, even expert analysts face challenges in detection.
“In cases like this, where a backdoor uses the network function of a legitimate program (PyBitmessage), it is difficult to detect, analyze, and trace the threat actor,” the report concludes.
The exact infection vector remains unknown, but ASEC suspects it may be distributed under the guise of cracked software or legitimate installers.
Related Posts:
- Stealthy Crypto-Mining Malware Hijacking PCs via USB Drives
- Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
- Report: North Korea was using a malicious program to dig Monero
- Hackers earn $3 million by exploiting Jenkins servers and inserting mining Monero scripts
- Hackers use Youtube server ads hijack the computer to dig Monero
Donate