In these 2 days, thanks to our systems, we have been able to identify different massive campaigns with .zip attachments, including executable files (.exe) of Trojan / Bitcoinmer malware family.
E-mails have this subject “Fattura TIM linea Fissa – Maggio 2017 – scadenza 06/05/2017” and have a .zip attachment with the following MD5 hash: 9eb45190079e29de371b4993f76920f1
Once executed, the .exe file creates following files in the temporary user folder:
C:\Users\[username]\AppData\Local\Temp\x86\cpuminer-x86.exe
C:\Users\[username]\AppData\Local\Temp\cpuminer-gw64.exe
C:\Users\[username]\AppData\Local\Temp\x86\msvcr120.dll
C:\Users\[username]\AppData\Local\Temp\x86\cpuminer-conf.json
C:\Users\[username]\AppData\Local\Temp\explorer.exe
C:\Users\[username]\AppData\Local\Temp\cpuminer-conf.json
C:\Users\[username]\AppData\Local\Temp\winlogon.exe
C:\Users\[username]\AppData\Local\Temp\api\websocket.htm
C:\Users\[username]\AppData\Local\Temp\msvcr120.dll
C:\Users\[username]\AppData\Local\Temp\run.vbs
C:\Users\[username]\AppData\Local\Temp\api\index.php
C:\Users\[username]\AppData\Local\Temp\LICENSE.txt
C:\Users\[username]\AppData\Local\Temp\api\local-sample.php
C:\Users\[username]\AppData\Local\Temp\cpuminer-x64.exe
Trojan executes files cpuminer-x86.exe or cpuminer-x64.exe depending on the architecture of infected PC (32/64 bit) in order to use user CPU to “generate” bitcoins using web service https://monero.crypto-pool.fr.
Following you can find an extract of configuration file cpuminer-conf.json
…
“url” : “stratum+tcp://xmr.crypto-pool.fr:80”,
“user” : “4ABmhw9KMKQFjKNMCis9Y1aqHVFo9spTUHdCwX7RQccdadn37d1hsid2mQqKVVod1EZLyyQipT7FPb6EXhHAhUxSAdYLDvW”,
“pass” : “x”,
…
Actually the campign is still active and the suggestion is to block, on Your security solutions, files with the following MD5: 9eb45190079e29de371b4993f76920f1
You must be logged in to post a comment.