Facebook trojan mines for Bitcoin
Posted by: Jon Ben-Mayor on 06/19/2014 09:40 AM
[
Comments
]
A new trojan is making the rounds on Facebook; this particular malicious bit of code slinks in via a private message from a friend, but there is certainly nothing friendly about the intent of the message.
The message simply reads "hahaha" and contains a seemingly legitimate .jpg image file within an archive called IMAG00953.zip. It is actually a malicious Java jar file, which is executed on the machine when the user opens it, according to the post on the Bitdefender Hot for Security blog.
The file contains Java code which downloads DLL files from a pre-defined Dropbox account. Once the DLLs are downloaded, they connect to a command and control server that sends back a message, as well as a base64-encoded payload (shellcode). The message reads:
“Hello people..
but am not the f*****g zeus bot/skynet bot or whatever piece of s**t.. no fraud here.. only a bit of mining. Stop breaking my b***z..
The received shellcode is injected into Windows Explorer and executed and triggers the download of a secondary DLL from a hardcoded location. And then the mining begins.
Bitcoin mining is only part of the deal, the shellcode can be modified at any time by the cyber-criminal allowing other types of malware to be inserted without any further outside attack - they are in the machine.
This hasn't hit users in the US as of yet and only seems to be popping up in Portugal, Belgium, India, Romania and Serbia......
The message simply reads "hahaha" and contains a seemingly legitimate .jpg image file within an archive called IMAG00953.zip. It is actually a malicious Java jar file, which is executed on the machine when the user opens it, according to the post on the Bitdefender Hot for Security blog.The file contains Java code which downloads DLL files from a pre-defined Dropbox account. Once the DLLs are downloaded, they connect to a command and control server that sends back a message, as well as a base64-encoded payload (shellcode). The message reads:
“Hello people..
but am not the f*****g zeus bot/skynet bot or whatever piece of s**t.. no fraud here.. only a bit of mining. Stop breaking my b***z..The received shellcode is injected into Windows Explorer and executed and triggers the download of a secondary DLL from a hardcoded location. And then the mining begins.
Bitcoin mining is only part of the deal, the shellcode can be modified at any time by the cyber-criminal allowing other types of malware to be inserted without any further outside attack - they are in the machine.
This hasn't hit users in the US as of yet and only seems to be popping up in Portugal, Belgium, India, Romania and Serbia......
Comments
