I was reading an article about cryptominer botnets, and it said they use the famous silent XMR miner.
But this miner is very well-known to antivirus, pretty much they all catch it, even windows defender.
So my question is: How they infected PCs if this miner is easily blocked by antivirus?
I have 2 theories: They create a folder and an exclusion on windows so antivirus won’t look for the miner hiding inside.
Or they use some sort of crypter to execute in memory.
But both methods are also kinda easy for a modern antivirus to catch.
Do you guys know of any other methods?
I’ve never analyzed nor used silent miner malware but I assume the concept is similar to malware evasion methods in general. Depending on the sophistication of the threat actor, and the target, there are different ways to evade antivirus.
Both your theories are correct, with some caveats.
Modifying settings that involve detection rules requires administrative privileges for any decent antivirus product. Depending on the target, elevating privileges may be trivial or sophisticated using privilege escalation exploits. For home user targets, it’s mostly trivial from my knowledge.
Memory execution is a more popular stealth technique but that depends on your goal, privilege escalation options, and stealth requirements. If an antivirus has a decent memory scanning feature, it can be detected if there is no counter evasion technique. Obfuscation is pretty much a hard requirement using well-known malware. There’s no getting around it since there has to be an initial execution of some software from disk for most unsophisticated attackers.
From what I understand and assume from threat actors who use miners and their targets, it would probably be trivial to elevate privileges to tamper with the antivirus. The victims themselves probably might not understand the technologies enough to prepare for these attacks nor notice that they have been infected.