Bitcoin Mining Operation Seen Across Numerous Malware Families
The talent over at Malwarebytes broke a story this week regarding Fake Flash Player phishing attempts dropping malicious content onto victim machines for the purpose of mining Bitcoins. The threat tricks users into thinking that they are downloading a new version of Flash Player. In actuality, the threat drops a few malicious executables (stored in "[username]/AppData/Roaming/Data"), called Control.exe and svchost.exe. Once the threat is up and running, it communicates over a specific port for the purposes of mining Bitcoins.
I did some digging of my own to see if there are other such instances of phishing attacks made by this threat. I found a variant as described in MalwareBytes blog based on the dropped files and the string ".pw/blam/flashplayerv". The end result was an additional 21 files which display similar network traffic patterns as those mentioned in the companion blog.
The network patterns which I'm matching on is any executable which makes a connection to 178[.]33[.]111[.]19 on port 9000. I gathered packet captures for many of these threats phoning home in this way. The results were overwhelming identical as seen below:
The conclusion we can reach is that Bitcoin mining is proving to have reached a point where it is profitable enough to be on the radar for scammers. Administrators should take note of the traffic patterns mentioned here and monitor for similar transactions. It should also be stated that the above list contains some still active download locations for this threat, and that the VT results can be confusing. All of the MD5s mentioned above are detected across the board as different threats ranging from InfoStealers to Backdoor trojan droppers. This shows that regardless of the initial focus of the malicious executable, bitcoin mining is still a profitable enough for scammers to bundle into their ill-gotten gains.