Blog da Zscaler

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Inscreva-se
Security Research

Bitcoin Mining Operation Seen Across Numerous Malware Families

image
CHRIS MANNON
December 13, 2013 - 3 Min. de leitura
The talent over at Malwarebytes broke a story this week regarding Fake Flash Player phishing attempts dropping malicious content onto victim machines for the purpose of mining Bitcoins.  The threat tricks users into thinking that they are downloading a new version of Flash Player.  In actuality, the threat drops a few malicious executables (stored in "[username]/AppData/Roaming/Data"), called Control.exe and svchost.exe.  Once the threat is up and running, it communicates over a specific port for the purposes of mining Bitcoins. 

I did some digging of my own to see if there are other such instances of phishing attacks made by this threat.  I found a variant as described in MalwareBytes blog based on the dropped files and the string ".pw/blam/flashplayerv".  The end result was an additional 21 files which display similar network traffic patterns as those mentioned in the companion blog.
  The network patterns which I'm matching on is any executable which makes a connection to  178[.]33[.]111[.]19 on port 9000.  I gathered packet captures for many of these threats phoning home in this way.  The results were overwhelming identical as seen below:
 
Image

The conclusion we can reach is that Bitcoin mining is proving to have reached a point where it is profitable enough to be on the radar for scammers.  Administrators should take note of the traffic patterns mentioned here and monitor for similar transactions.  It should also be stated that the above list contains some still active download locations for this threat, and that the VT results can be confusing.  All of the MD5s mentioned above are detected across the board as different threats ranging from InfoStealers to Backdoor trojan droppers.  This shows that regardless of the initial focus of the malicious executable, bitcoin mining is still a profitable enough for scammers to bundle into their ill-gotten gains.
form submtited
Obrigado por ler

Esta postagem foi útil??

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Ao enviar o formulário, você concorda com nossa política de privacidade.