SIEM agent being used in SilentCryptoMiner attacks
Essential information
- Published
- 07/10/2024 09:06
- Modified
- 07/10/2024 09:33
- Tags
- 2024-10-07 autoit cryptomining defense evasion persistence seo poisoning siem silentcryptominer
- Related entities
- 8 observables, 14 techniques (mitre), 1 malware, 9 others
Description
A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding malicious payloads in legitimate file signatures and abusing the Wazuh SIEM agent as a backdoor. The final payload injects the SilentCryptoMiner into explorer.exe to mine cryptocurrencies like Monero. The attackers use SEO poisoning, social engineering, and multiple persistence mechanisms to maintain access. While primarily focused on cryptomining, some variants can also steal cryptocurrency wallet addresses and take screenshots.