Over the past six months, Windows Packet Divert drivers for intercepting and modifying network traffic on Windows systems have become popular in Russia. From August to January 2024, we noted that detections of these drivers almost doubled. The main reason? These drivers are being used in tools designed to bypass restrictions for accessing foreign resources.<\/p>\n
This surge in popularity hasn\u2019t gone unnoticed by cybercriminals. They\u2019re actively distributing malware disguised as bypassing tools\u00a0\u2014 and they\u2019re doing it by blackmailing bloggers. So, every time you watch a video titled something like \u201cHow to bypass restrictions\u2026\u201d, be especially cautious\u00a0\u2014 even the most reputable content creators might unknowingly be spreading stealers, miners, and other malware.<\/p>\n
How cybercriminals exploit unsuspected users\u00a0\u2014 and where bloggers fit into the picture\u00a0\u2014 is what we\u2019ll explore in this article.<\/p>\n
There are plenty of software solutions designed to bypass restricted access to foreign platforms, but they all have one thing in common\u00a0\u2014 they\u2019re created by small-time developers. Such programs spread organically: an enthusiast writes some code, shares it with friends, makes a video about it, and voil\u00e0<\/em>\u00a0\u2014 yesterday\u2019s unknown programmer becomes a \u201cpeople\u2019s hero\u201d. His GitHub repository is starred tens of thousands of times, and people thank him for restoring access to their favorite online resources. We recently wrote about one such case<\/a> where cybercriminals boosted GitHub repositories containing malware.<\/p>\n There may be dozens or even hundreds of such enthusiasts \u2014 but who are they, and can they be trusted? These are key questions both current and potential users of these programs should be asking. A major red flag is when these developers recommend disabling antivirus protection. Disabling protection<\/a>\u00a0to voluntarily give a potential hacker access to your device? That\u2019s a risky move.<\/p>\n Of course, behind the mask of a people\u2019s hero might be a hacker looking for profit. An unprotected device is vulnerable to malware families like NJRat, XWorm, Phemedrone, and DCRat, which have been commonly spread alongside such bypassing software.<\/p>\n We\u2019ve identified an active miner distribution campaign that has claimed at least two thousand victims in Russia. One of the infection sources was a YouTube channel with 60,000 subscribers. The blogger uploaded several videos on bypassing restrictions, with a link to a malicious archive in the description. These videos accumulated over 400,000 views in total. Later, the channel owner deleted the link, leaving this note: \u201cDownload the file here: (program does not work)\u201d.<\/em> Originally, the link led to the fraudulent site gitrok[.]com<\/em>, where the infected archive was hosted. According to the site\u2019s counter, at the time of our study the bypassing tool had been downloaded at least 40,000 times.<\/p>\n Don\u2019t rush to put all the blame on the bloggers\u00a0\u2014 in this case, they were simply following the orders of cybercriminals, unaware of what was really going on. Here\u2019s how it works. First, the criminals file a complaint against a video about such a restriction-bypassing tool, pretending to be the software\u2019s developers. Then they contact the video creator and persuade them to upload a new video, this time containing a link to their malicious website\u00a0\u2014 claiming that this is now the only official download page. Of course, the bloggers have no idea the site is distributing malware\u00a0\u2014 specifically, an archive containing a miner. And for those who\u2019ve already uploaded three or more videos on the topic, refusal is not an option. The hackers threaten to file multiple complaints, and if there are three or more, the channel would be deleted.<\/p>\n In addition, the criminals spread their malware and installation guides through other Telegram and YouTube channels. Most of these have been deleted\u00a0\u2014 but there\u2019s nothing to stop them from creating new ones.<\/p>\n The malware in question was a sample of SilentCryptoMiner, which we covered in October 2024<\/a>. It\u2019s a stealthy miner based on XMRig, another open-source mining tool. SilentCryptoMiner supports mining of multiple popular cryptocurrencies, including ETH, ETC, XMR, RTM, and others. The malware stops mining upon detecting certain processes, the list of which the criminals can provide remotely to evade detection. That makes it nearly impossible to detect without reliable protection<\/a>.<\/p>\n For more about the malicious archive and how it persists in the system, check our post on Securelist<\/a>.<\/p>\n Here are some relevant articles you can read to learn more about miners and their dangers:<\/p>\n Mario Forever, malware too: a free game with a miner and Trojans inside<\/a><\/p>\nWhere do bloggers fit in?<\/h2>\n
What about the miner?<\/h2>\n
How to protect yourself from miners<\/h2>\n
\n