Pornographic malspam thrusts coin miner malware
Last Updated: 2018-12-11 02:40:51 UTC
On Saturday 2018-12-09 and Sunday 2018-12-10, I came across a wave of malicious spam (malspam) with linksaf to a Bitcoin miner disguised spil pornographic material. The emails all had the same linksom. One of them wasgoed off-line by the time I checked, but the other downloaded a zip archive named SeeMyXXXphoto.zip. Windows Defender quickly caught and deleted the malware, so people aren`t indeed at risk for this. However, I dreamed to document this campaign with a quick diary.
The emails had various subject lines, spoofed senders, and different very first paragraphs te the message text. I submitted an example te the .eml format to VirusTotal (verbinding). The emails each contained a different pornographic photo followed by the message text. The 2nd paragraph ter each message text read the same, stating:
Maybe you want see my private XXX photo. Ooooohhhh. ok! Just download archive from this listig and open and install it. And you can get access to some my hot photos )))
It wasgoed followed by a verbinding to: hxxp://martialartsbenefits[.]com/SeeMyXXXphoto.zip
Shown above: Screenshot from one of the emails (minus the pornographic pic).
Shown above: Downloaded zip archive and the extracted opstopping.
Windows Defender identified the malware spil Trojan:Win32/Tiggre!rfn, but that didn`t describe the malware for mij. A quick check on VirusTotal indicates the malware is a Bitcoin miner. Running the malware on a Windows host ter my laboratorium environment confirmed Bitcoin miner-style traffic, and it emerges to be based on CPUminer Multi version 1.1.
Shown above: Windows Defender quickly caught the verkeersopstopping when I attempted downloading it on 2018-12-10.
Shown above: VirusTotal indicates the downloaded opstopping is a coin miner.
Shown above: Traffic from an infection filtered te Wireshark indicates this is CPUminer Multi version 1.1.
- Date/Time: Sunday, 2018-12-10 00:08 UTC
- From: ",Isabelle", <,[email protected]>,
- Subject: That`s why I love our parties! Just look here
- Date/Time: Sunday, 2018-12-10 16:28 UTC
- From: ",Martine", <,[email protected]>,
- Subject: I would go through the streets slack-jawed
- Date/Time: Sunday, 2018-12-10 Legal:04 UTC
- From: ",Birgit", <,[email protected]>,
- Subject: Oh Gooood, it is the greatest of all that I`ve everzwijn seen Just look here!
- Date/Time: Sunday, 2018-12-10 Nineteen:14 UTC
- From: ",Manon", <,[email protected]>,
- Subject: Is your character spil hard spil your muscles?
- Date/Time: Sunday, 2018-12-10 23:Ten UTC
- From: ",Lola", <,[email protected]>,
- Subject: Even your eyes can tell mij how certain you are.
Linksaf ter the emails:
- Verkeersopstopping size: Two,201,826 bytes
- Verkeersopstopping name: SeeMyXXXphoto.zip
- Description: Downloaded zip archive
- Opstopping size: Two,339,166 bytes
- Opstopping name: Open and see my XXX photo and Movie.exe
- Description: Extracted Windows executable – Bitcoin mining malware
Traffic from an infected Windows host:
Windows Ten hosts seem well-protected against this threat. Spil always, on older versions of Windows, system administrators and the technically inclined can implement best practices like Software Confinement Policies (SRP) or AppLocker to prevent thesis types of infections.