A new Bitcoin mining trojan is spreading like wild fire through Facebook private messages. The Trojan which masquerades as a zip file contain .JPG image file has hundreds of Facebook users from Portugal, Belgium, India, Romania, Serbia and other countries infected. The Trojan was discovered by Security Expert at Bitdefender security maker firm. It uses social media engineering to target specific users to expand itself and mine valuable bitcoins for its authors/owners.
Security Expert Alexandra Gheorghe stated in a blogpost that, “The virus spreads through private Facebook messages, received from one of the victim’s trusted Facebook friends,” “It reads ‘hahaha”’ and contains an archive called 1IMAG00953.zip with what seems to be a legitimate .jpg image file.”
The cyber criminals behind this trojan exploit the a Java Jar file and use it to masquerade as a legitimate .jpg image. When the potential victim clicks on the zip file thinking it to contain a .jpg image send by a friend, the Java Jar file gets executed and downloads DLL files from a pre-defined Dropbox account. Once downloaded, the files then remotely contact the Command and Control server to receive back shellcode that is injected into Windows Explorer and executed. The shellcode is base64-encoded payload, the message reads:
“Hello people.. 🙂 <!– Designed by the SkyNet Team –> but am not the f*****g zeus bot/skynet bot or whatever piece of s**t.. no fraud here.. only a bit of mining. Stop breaking my b***z..
The above text, security experts feels is a personal brag by the author of the malware because it does not enhance the working of the malware. The shell code then triggers the download of a secondary DLL from a hardcoded location that embeds a Bitcoin miner that will start the mining process immediately to make the cyber criminals /authors behind this trojan rich. It is not yet known as to the exact number of Facebookers this trojan has infected or how many machines are running this trojan. Bitcoin mining is a high resource activity and PCs and laptops may not yield much computing power to earn meaningful bitcoins for the cyber criminals. But the trojan could be exploited for many other illegal activities. To elaborate this, Bitdefender researchers also discovered that the delivered payload can be changed every couple of hours, adapting the behavior of the trojan to the cyber criminals needs.
“Bitcoin mining is a small fraction of the entire affair. Cyber-criminals can modify the shellcode once every couple of hours. They can push other types of malware without the victim’s knowledge or intervention, depending on what they have in mind with their PCs.”
The only protection against this unique trojan is to avoid any suspicious massages containing zip files, even if it came from a trusted source. Bitdefender has also warned that the cyber criminals may use SMS and emails to launch this trojan outside of Facebook.