![\"Comparison](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/04\/12163649\/Crimeware-report-rhadamantys-hidden-bee.png\")
<\/a><\/p>\nComparison between Rhandamanthys’s “prepare.bin” and Hidden Bee’s “preload” modules<\/em><\/strong><\/p>\nCUEMiner: distribution through BitTorrent and OneDrive<\/h2>\n
In August 2021, a project was started on GitHub called SilentCryptoMiner, hosting the miner consisting of a downloader and the payload, bot source and the compiled builder, as well as additional software, such as a system watcher. It has been constantly updated, with the latest update going back to October 31 2022. The repository is popular with cybercriminals, as illustrated by the huge number of samples we detected that featured many small changes and were combined with the different URLs and TTPs, making it clear that the malware is used by multiple groups in various ways concurrently.<\/p>\n
During our investigation, we noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. How victims are lured into downloading these cracked packages is speculation, because we couldn’t find any direct links. Nevertheless, many crack sites these days do not immediately provide downloads. Instead, they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.<\/p>\n
The downloader is written in .NET and called CUEMiner. Despite being written in .NET, it is wrapped by a C++ based dropper and it connects to a set of URLs, which is varying from sample to sample, to download the miner and configuration settings. It also performs several checks in order to ensure it is running on bare metal systems, and not on a virtual machine. In case all checks are passed, the malware:<\/p>\n
\n- Reconfigures Windows Defender to exclude the user profile path and the entire system drive from scanning.<\/li>\n
- Fetches configuration details from a hardcoded URL and saves it at different places (for example, c:\\logs.uce, %localappdata%\\logs.uce).<\/li>\n
- Creates empty files and subdirectories in %ProgramData%\\HostData to make the directory look benign.<\/li>\n
- Downloads the miner and watcher.<\/li>\n
- Does a number of other things. The full list you can find in our private report.<\/li>\n<\/ul>\n
The watcher, as the name suggests, monitors the system. If it doesn’t detect any processes that consume lots of system power (for example, games), the miner software is launched. When a heavy process, such as a game, is started, the miner is stopped and only started again when the aforementioned process stops. This is done in order to stay undetected on the system longer.<\/p>\n
Conclusion<\/h2>\n
Open source malware is often used by less skilled cybercriminals. They often lack the required skills and contacts to conduct massive campaigns. Nevertheless, they can be still quite active and effective, as is shown by the huge number of CUEMiner samples we detected. If along their cybercriminal career they gain more skills, such as programming and understanding security better, they often reuse and improve crucial source code parts from open source malware.<\/p>\n
Code reuse and rebranding is also used quite often by cybercriminals. There are many ransomware variants that change names over time while mostly containing the same code base. In other cases, cybercriminals re-use parts of the code in new campaigns. For example, Rhadamantys stealer features some code overlaps with the Hidden Bee malware. This suggests involvement of at least one individual in the Rhadamantys campaign who had also been involved in the development of Hidden Bee.<\/p>\n
To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals or have questions about our private reports, please contact crimewareintel@kaspersky.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive.<\/p>\n","protected":false},"author":312,"featured_media":98449,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[919],"tags":[6,4091,472,71,458,123,30,933,1019],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/crimeware-report-uncommon-infection-methods-2\/109522\/"},{"hreflang":"es","url":"https:\/\/securelist.lat\/crimeware-report-uncommon-infection-methods-2\/97877\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/109522"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=109522"}],"version-history":[{"count":8,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/109522\/revisions"}],"predecessor-version":[{"id":109532,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/109522\/revisions\/109532"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/98449"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=109522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=109522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=109522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}