In a recent global campaign, attackers utilized an open-source SIEM 'Wazuh' agent to mine cryptocurrency on victims’ devices without consent, distributing malware through popular software downloading websites, Telegram channels, and YouTube videos. The attackers employed tactics like abusing digital signatures, hiding malicious payloads, and establishing persistence using various methods in systems mainly targeting Russian-speaking users. Through a multistage infection chain, attackers could gain full access to users' systems, with some malware variants even performing additional malicious activities
The use of the SIEM agent as a backdoor, along with evasion techniques like adding malicious payloads to legitimate signatures, highlights the complexity of the attack and the importance of vigilance against such threats. ```https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/