SilentCryptoMiner Uses Wazuh SIEM Agent to Evade Detection
Operators of the SilentCryptoMiner malware are leveraging the Wazuh SIEM agent (an open-source event monitoring solution) to bypass detection and maintain persistence on users’ devices, according to a warning from Kaspersky Lab. Victims of these attacks have been identified in several countries, including Belarus, India, Uzbekistan, and Kazakhstan, with the highest activity observed in Russia.
How SilentCryptoMiner Works
As the name suggests, SilentCryptoMiner is a stealthy miner that exploits the resources of infected systems to mine cryptocurrency—specifically Monero and Zephyr in the analyzed attacks. Attackers distributed SilentCryptoMiner through fake websites that claimed to offer free downloads of popular software such as uTorrent, MS Excel, MS Word, Discord, and games like Minecraft. These malicious sites were aggressively promoted, often appearing at the top of Yandex search results.
Additionally, hackers managed several Telegram channels targeting crypto wallet owners and cheat software users, offering themed software that actually delivered the malware to victims’ devices. The malware was also spread via YouTube, through numerous English-language videos posted from various (likely compromised) accounts. Links to the fake resources and Telegram channels were placed in video descriptions and comments.
Victims, believing they were downloading legitimate software, would download a ZIP archive containing an MSI file and a TXT document with a password and installation instructions. The archive contained no real software, and users were instructed to disable antivirus and Windows Defender before running the installer. This multi-stage infection chain ultimately installed a malicious script and the SilentCryptoMiner on the victim’s system.
Use of Wazuh SIEM Agent for Evasion and Persistence
The standout feature of this campaign is the use of the Wazuh SIEM agent. Hackers used this technique to evade security solutions and establish persistence on compromised devices. The SIEM system also allowed attackers to gain remote control over infected machines, collect telemetry, and transmit it to a command-and-control server.
Through the malware, which enabled the installation of the miner, attackers could gather information such as the computer and user name, OS version and architecture, CPU name, GPU details, and installed antivirus software. All this data was sent to the attackers’ Telegram bot.
Some variants of the malware could also take desktop screenshots and install a browser extension capable of replacing cryptocurrency wallet addresses. “While the main goal of the attackers is to profit by covertly mining cryptocurrency on victims’ devices, some malware variants can perform additional malicious actions, such as replacing cryptocurrency wallet addresses in the clipboard and taking screenshots,” experts warn.