Bitcoin miner lurking on Facebook
Facebook users, beware: a new viral campaign aimed at saddling you with a Bitcoin mining Trojan has been spotted.
“The virus spreads through private Facebook messages, received from one of the victim’s trusted Facebook friends,” explains Bitdefender’s Alexandra Gheorghe. “It reads ‘hahaha”‘ and contains an archive called 1IMAG00953.zip with what seems to be a legitimate .jpg image file.”
Unfortunately, it’s not. It is a Java file that is executed immediately after the user runs it, and downloads DLL files from a pre-defined Dropbox account. The files connect to a C&C server, and receive back shellcode that is injected into Windows Explorer and executed.
This allows the download of an additional DLL file that embeds a Bitcoin miner into the system and immediately puts it to work.
While a message sent along with the initial shellcode says that cyber crooks are only interested in taking advantage of the victims’ computer’s mining capabilities, Bitdefender researchers warn that the delivered payload can be changed every couple of hours, and the criminals could follow up with more destructive malware.
The best thing to do is, obviously, to avoid getting compromised altogether, so avoid opening this and similar messages from any source on Facebook, the Internet, or if you receive them via SMS.
So far, the Bitcoin miner has been detected infecting systems in Portugal, Belgium, India, Romania and Serbia.