05/09/11

Malicious Links on Twitter Lead to Bitcoin Mining

Web Reputation Services (WRS) encountered spammed malicious shortened URLs on Twitter that appear to contain a JPEG file from a Facebook domain. The said .JPEG file is infact not a picture file but an executable file already detected by Trend Micro as WORM_KOLAB.SMQX. Searching for the picture file using Twitter’s search function reveals an updated list of users who tweeted the same malicious link.

Clicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click on the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to facebook.com.

 {BLOCKED}e-505.tk . It contains the downloadable file, http://{BLOCKED}f.by /images/news/Photo-G05971.jpeg.exe which is included in the frame set of facebook.com.{BLOCKED}e-505.tk Since September 2 2011, approximately 600 tweets of the same link have been posted.

Click for larger view

When users post a tweet, it is followed by a malicious link http://www.facebook.com.{BLOCKED}e-505.tk/Photo-G05971.jpeg with the text “hahaha!!!” It is also used in the retweet and reply feature of Twitter.

Click for larger view

What happens after running the malicious file? Upon checking the Local Settings, we found that the file creates a directory “aaa” with the following files:
  • 3kal.cmd – batch file that contains the command for executing mamatije2.exe
  • hsbca.exe – normal file (Hidden Start v3.2)
  • mamatije2.exe – already detected as HKTL_BITCOINMINE
Click for larger view

The file mamatije2.exe is a Bitcoin miner that connects to the malicious link http://y.{BLOCKED}ame:8332/ along with a provided user name mrdd_ludacha and password mama1. Unfortunately, the login credentials don’t work and display a bad request (HTTP 400). Bitcoins are digital coins or a virtual currency you can send through the Internet via peer-to-peer (P2P) sharing. Bitcoins are generated over the Internet by running a free application called a Bitcoin miner.

Apart from the other tweets, it will connect to other malicious sites, which contains the following malicious files :
  • http://robertpattinson.{BLOCKED}ion.org/pictures/Calc-3-9-2011.jpeg – detected by Trend Micro as HKTL_BITCOINMINE
  • http://{BLOCKED}alokab.go.id/images/news/JohnLennon-Imagine.exe – detected as WORM_KOLAB.SMQX

Notice that it uses names of famous personalities like Robert Pattinson and John Lennon.

All related URLs were already blocked and the files were detected as WORM_KOLAB.SMQX by Trend Micro Smart Protection Network.

nb : trendmicro

Tidak ada komentar:

Posting Komentar