Ongoing Malware Campaign Distributing Miners via Illegal Streaming Sites
TL;DR: A recent incident revealed an ongoing malware distribution campaign involving a miner targeting users via illegal streaming and digital library sites. The campaign exploits a fake video player update to execute malicious DLLs, highlighting vulnerabilities associated with pirated content access.
The investigation, conducted by Kaspersky, stemmed from a client incident report regarding the discovery of a miner on user machines. The malware is disseminated through deceptive means, primarily fake updates presented when users engage with illegal streaming services. Specifically, users are prompted to download a ZIP file containing a legitimate executable alongside a malicious DLL, which executes through a DLL side-loading technique. The malware establishes persistence and proceeds to deploy a miner.
The malicious infrastructure utilizes various high-traffic illicit digital platforms, making the reach extensive. Analysis indicated that sites involved in the distribution consistently attract millions of visits, heightening the threat level as substantial numbers of users are exposed to potential infections. The current campaign serves as a continuity of previous strategies focused on pirated content, seen since at least 2022. The malicious delivery mechanism notably remains unchanged, employing new domains for distribution while maintaining the known structure of the ZIP archive.
For defenders, the implications are clear. Organizations should closely monitor endpoints for signs of the miner’s presence, particularly users accessing content through illegal streaming sites. The risk is especially acute for enterprises unwittingly exposing staff devices to such threats, potentially leading to unauthorized resource usage or system compromises.
Malware distribution through popular yet illicit platforms puts various sectors, particularly those with frequent user engagement on such sites, at risk. This activity continues to underscore the persistent vulnerabilities associated with accessing pirated content—a significant threat vector for unprotected environments.
Indicators of Compromise from this campaign include:
- Malicious Archive URL: urush1bar4[.]online
- Malicious DLL Hashes:
- 6A0FE6065D76715FEEBC1526D456DB73
- 7F624407AE489324E96A708A09C17E6F
- 02A43B3423367B9DDDC24CC7DF0030DF
- C2 Domains:
- 5d14vnfb[.]space
- r7mvjl67[.]space
- zgj1tam9[.]space
- jeaw520i[.]space
- qdmagva5[.]space
- Configuration Retrieval IP: 107.172.212.235
The continual evolution of these malware delivery mechanisms highlights the need for ongoing vigilance against threats linked to digital piracy, particularly for organizations with user access to unreliable content sources.
