Kaspersky researchers have uncovered a global crypto-mining campaign, manipulating open-source Security Information and Event Management (SIEM) software that evades detection and maintains persistence on infected devices. Active since 2022, the campaign involves attackers distributing malware disguised as popular software – such as uTorrent and Microsoft Office – via fake websites, Telegram channels, and YouTube videos. While primarily targeting Russian-speaking users, the campaign has impacted victims globally.
Kaspersky’s telemetry data reveals that 87.63% of the infected users were in Russia, with additional cases reported in Belarus, India, Uzbekistan, and other countries. The malware stealthily mines cryptocurrency, primarily using anonymous currencies like Monero and Zephyr. A notable tactic used by the attackers involves abusing the Wazuh SIEM agent, a legitimate security tool, to remotely execute commands and ensure ongoing control of infected systems.
Attackers used SEO poisoning to promote malicious websites mimicking popular software download portals, directing unsuspecting users to harmful content. Telegram channels and YouTube videos also played a key role in spreading the malware, often attracting users with interests in cryptocurrency investments and gaming mods. By compromising widely-used tools and platforms, the attackers have broadened their reach while evading standard detection methods.
A critical aspect of the campaign is the abuse of the Wazuh SIEM agent, which allows the attackers to execute malicious commands while bypassing traditional security defenses. This tactic, coupled with the injection of malware into legitimate files signed with valid digital signatures, enables the attackers to maintain a persistent and undetected presence on infected devices.
“The abuse of a legitimate security tool like Wazuh for malicious purposes is an alarming trend that cybersecurity professionals must be aware of,” said Alexander Kryazhev, malware analyst team lead at Kaspersky. “By leveraging the SIEM agent, the attackers maintained a persistent presence on infected devices, making it harder for traditional security solutions to detect and remove the threat.”
Kaspersky’s security solutions detect this malware under several names. For more detailed information about this campaign, visit Securelist.com.
To safeguard your devices against cryptominers and other malware, follow these best practices:
- Don’t forget to regularly update your operating system and all software. Many safety issues can be solved by installing updated versions of software.
- Be cautious with downloads. Only download software and media from reputable sources. Malicious software can be bundled with legitimate software, especially if downloaded from dubious websites.
- A reliable security solution like Kaspersky Premium will help detect all miners, including ones that don’t noticeably overheat or discharge your device. Even a miner designed to back off periodically will eventually wear out your phone – and a crude one could toast it.
- Help educate your team about safe e-behavior, whether that’s family members at home, or coworkers in the office.
- Limit extensions and add-ons. Only use necessary browser extensions and add-ons, as these can be exploited or could themselves be malicious. Regularly review and remove any that are not needed.
