14 DAY TRIAL // A new Trojan has been found roaming Facebook and infecting the computers of unsuspecting users; it does not steal any sensitive information, but instead puts the system to work by mining for Bitcoins.
The miner spreads through private messages on the social network; these are sent from the account of a victim to friends in their list, luring them with the text “hahaha,” that contains an archive named “IMAG00953.zip” and which makes the receiver think the content is actually an image.
According to Bitdefender, who made the discovery, the compressed item is a JAR file that executes automatically when opened and connects to a specific Dropbox account in order to download some DLL files.
These contact a remote command and control server that sends the payload, a shellcode that injects itself into Windows Explorer and executes. Accompanying the shellcode is a message that reads:
“Hello people.. :) <!– Designed by the SkyNet Team –> but am not the [expletive] zeus bot/skynet bot or whatever piece of [expletive].. no fraud here.. only a bit of mining. Stop breaking my [expletive]..”
Bitdefender notes that another DLL is then downloaded onto the victim’s system, which also embeds the mining tool.
This completes the infection of the machine. From then on, the system starts spending resources on the mining process, building up those hashes.
Sluggish performance of the computer is one of the most common signs of a digital currency miner hijacking the resources. Spotting the nefarious activity can be done by taking a look at the list of the currently running processes and checking the entry that demands the most resources.
Although Bitcoin mining is a long-term activity that does not bring any benefits when carried out by a single machine, creating a network of systems to do the job proves to be a lucrative activity for the cyber crooks.
A recent event showed that a German hacker managed to make more than $600,000 (443,016 EUR) in crypto currency by leveraging a vulnerability in the DiskStation Manager (DSM) operating system powering Synology network access storage boxes.
In that case, the digital currency was Dogecoin, and based on the attacker’s public key corresponding to a block chain discovered during the analysis of the mining tool, security researchers found that most of the money had been “earned” in only two months (January and February, 2014).
With this Bitcoin miner, though, the researchers did not publish any information about the location of the command and control center or the identity of the attacker. However, the scheme was detected last week and infected systems have been recorded in Portugal, Belgium, India, Romania and Serbia.