Hidden Cryptocurrency Mining Campaign Hits Over 28,000 Users, Stealing Thousands in Crypto
A recent report from Doctor Web reveals a widespread malware campaign that has compromised over 28,000 users, primarily in Russia and surrounding countries. This campaign cleverly disguises cryptomining and cryptostealing malware as legitimate software like office programs, game cheats, and trading bots.
This campaign exploits sophisticated methods to evade detection and gain control over users’ systems. Doctor Web virus lab specialists, during routine cloud telemetry analysis, discovered suspicious activity in a program disguised as a Windows component, “StartMenuExperienceHost.exe,” which is normally responsible for managing the Windows Start menu.
Doctor Web analysts revealed, “The source of infection is fraudulent pages created by attackers on GitHub or YouTube, with malware links hidden in the description of the videos.” Once victims clicked on these links, they were directed to download a password-protected, self-extracting archive. The encrypted nature of the archive allowed it to bypass antivirus scans.
When executed, the malware installs several malicious components, including the Ncat network utility and an AutoIt script disguised as system files. “The ShellExt.dll file is an AutoIt language interpreter,” Doctor Web analysts noted, explaining that the attackers renamed it to disguise it as a legitimate WinRAR library.
Once installed, the malware performs various malicious actions, including scanning for debugging software, gaining network access, modifying the registry, and disabling the Windows Recovery Service to avoid being removed. The malware leverages the IFEO (Image File Execution Options) technique to hijack Windows system services, allowing it to persist within the victim’s system. “Hackers ‘hijacked’ system services and key update processes such as svchost.exe, GoogleUpdate.exe, and MicrosoftEdgeUpdate.exe,” the report reveals.
Doctor Web’s analysis also highlights the malware’s ability to send detailed information about the victim’s computer, including its specifications and antivirus software, via a Telegram bot.
At the core of this campaign is hidden cryptomining and cryptocurrency theft. One component, the DeviceId.dll file, deploys a cryptominer that silently mines cryptocurrency using the victim’s hardware resources. Meanwhile, the 7zxa.dll library contains a clipper—a type of malware that monitors the clipboard for cryptocurrency wallet addresses. This clipper swaps the legitimate wallet addresses with those controlled by the attackers, leading to direct cryptocurrency theft. “At the time of publication, it is confirmed that only thanks to the clipper hackers were able to get hold of more than 6000 dollars worth of cryptocurrency,” the report stated.
The malware also employs the Process Hollowing technique, a method that involves injecting malicious code into legitimate processes. In this case, the malware injected its payload into the explorer.exe process, resulting in multiple instances of explorer.exe running simultaneously—a telltale sign of malicious activity.
Doctor Web’s specialists urge users to be cautious when downloading software, recommending that users obtain programs from official sources and avoid pirated versions. Additionally, they stress the importance of installing capable antivirus software to protect against such attacks.
