Massive Campaign Trojan / Bitcoinminer

malware

In these 2 days, thanks to our systems, we have been able to identify different massive campaigns with .zip attachments, including executable files (.exe) of Trojan / Bitcoinmer malware family.

E-mails have this subject “Fattura TIM linea Fissa – Maggio 2017 – scadenza 06/05/2017” and have a .zip attachment with the following MD5 hash: 9eb45190079e29de371b4993f76920f1

Once executed, the .exe file creates following files in the temporary user folder:

C:\Users\[username]\AppData\Local\Temp\x86\cpuminer-x86.exe

C:\Users\[username]\AppData\Local\Temp\cpuminer-gw64.exe

C:\Users\[username]\AppData\Local\Temp\x86\msvcr120.dll

C:\Users\[username]\AppData\Local\Temp\x86\cpuminer-conf.json

C:\Users\[username]\AppData\Local\Temp\explorer.exe

C:\Users\[username]\AppData\Local\Temp\cpuminer-conf.json

C:\Users\[username]\AppData\Local\Temp\winlogon.exe

C:\Users\[username]\AppData\Local\Temp\api\websocket.htm

C:\Users\[username]\AppData\Local\Temp\msvcr120.dll

C:\Users\[username]\AppData\Local\Temp\run.vbs

C:\Users\[username]\AppData\Local\Temp\api\index.php

C:\Users\[username]\AppData\Local\Temp\LICENSE.txt

C:\Users\[username]\AppData\Local\Temp\api\local-sample.php

C:\Users\[username]\AppData\Local\Temp\cpuminer-x64.exe

Trojan executes files cpuminer-x86.exe or cpuminer-x64.exe depending on the architecture of infected PC (32/64 bit) in order to use user CPU to “generate” bitcoins using web service https://monero.crypto-pool.fr.

Following you can find an extract of configuration file cpuminer-conf.json

                “url” : “stratum+tcp://xmr.crypto-pool.fr:80”,

                “user” : “4ABmhw9KMKQFjKNMCis9Y1aqHVFo9spTUHdCwX7RQccdadn37d1hsid2mQqKVVod1EZLyyQipT7FPb6EXhHAhUxSAdYLDvW”,

                “pass” : “x”,

Actually the campign is still active and the suggestion is to block, on Your security solutions, files with the following MD5: 9eb45190079e29de371b4993f76920f1 

Share on facebook
Share on twitter
Share on linkedin