Threats posed by the Bitcoin malware go well beyond initially-reported Skype and Bitcoin mining. And about 350 000 users are at risk, having unwittingly downloaded the malware through Skype and Gtalk.
This is according to Cyberoam’s Threat Research Labs (CTRL), which claims to have identified unreported truths on the Bitcoin mining malware.
The last week has seen several reports on the malware’s ongoing campaign on Skype. However, findings from Cyberoam Threats Research Labs also divulge the modus-operandi adopted by the cyber-attackers behind the Bitcoin malware and providing evidence on additional risks not limited to Bitcoin mining.
“Recent reports on the malware saying the threat is aimed at building a botnet to mine bitcoins using the CPU resources of victimised computers is only half the story,” says Bhadresh Patel, lead vulnerability researcher at CTRL.
“Our threat research team ran a detailed investigation and also allowed the malware to become fully active, letting it achieve reasonable degree of infection on test systems. With this approach, CTRL threat analysts have succeeded in conducting deep analysis of the malware and its latent threat potential while uncovering several other risks that have not been reported yet.”
The malware spreads over Skype using a shortened Google URL that has a cleverly placed suffix right at the end, which represents a non-existent image file. The purpose behind placing a reference to an image file instead of an .exe file is only to lure the Skype user to follow the link. This provides evidence into how cybercriminals are analysing Internet users’ awareness and application usage behaviour.
CTRL investigations have found that besides Bitcoin mining, several other risks were present on the server.
One of these is the propagation of the malware using spamming. The involvement of other remote malware hosting serves located in destinations such as Russia, enhance the threat potential of the malware. CTRL, upon performing further exploration on these remote servers learned that such servers have recently updated malware samples, which would allow such threats to enjoy low detection rate.
A threat instance, “ppc.exe”, capable of triggering identity threat attacks, was also found. CTRL analysis of this latent threat revealed that it uses third-party IP geo-location database to identify the victim’s location, organisation, connection speed and user type, aimed at stealing the victim’s identity.
Further investigating from the CTRL, to study the attacker’s mindset, revealed that upon rebooting a fully infected system, the victim is presented with a false message from a resident ransomware (also known as a crypto-Trojan), seeking ransom to disinfect the system.
During its investigation, CTRL was able to capture and dissect a PHP Shell on the malware hosting server, revealing the shell allows the attacker to manage threat activities and malware samples. The attacker also uses a shell script to automatically update malware binaries, saving substantial time to remain actively invested in augmenting the malware’s capability.