Security company Trend Micro has warned of a new cryptocurrency mining bot that has been active over Christmas. The details emerged in a blog by security researchers Lenart Bermejo and Hsiao-Yu.
The bot is called Digimine and was first spotted in South Korea. It has now been recorded in several countries across Europe, South America and the Asia Pacific region. The version currently observed is restricted to Google Chrome but there is no guarantee it won’t be recoded to other browsers.
According to the blog, Digimine has been written using AutoIt. This is a scripting language designed for automating Windows administration and task automation. This is not the first time AutoIt has been used to help spread malware. Trend Micro has previous warned that its ease of use has made it increasingly popular with malware authors.
How does this Digimine attack work?
Victims are sent a video file via a friend on Facebook. If they attempt to watch the video, it runs an AutoIt script. The script connects to the command and control (C&C) server and downloads a number of components to the infected machine. These are saved in the %appdata%\<username> directory.
Digimine also installs an autostart entry into the registry to ensure that it is started as soon as the computer is turned on. This gives the malware the maximum running time on the local computer. Running time equals hashes and hashes equal a pay-out for the malware’s authors. In this case the pay-out is the cryptocurrency Monero.
To take advantage of Chrome, the malware installs a malicious browser extension. It does this by terminating any running instances of Chrome and restarting them from the command line. This approach avoids the Chrome Web Store and allows the malicious code to be installed.
How does Digimine spread?
Once installed, Digimine downloads additional code from the C&C server to allow it to spread. It checks to see if the victim is set to auto login to Facebook. If so, the malware is sent to all the victims friends.
The Trend Micro researchers warn that there could be worse to come. As the malware constantly checks in with the C&C server, it would be possible for the authors to write code to hijack the Facebook account.
Facebook has been warned of this attack and has removed many of the Digimine-related links from its platform. According to a statement from Facebook: “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”
What does this mean?
For cryptocurrency mining bots the more machine they can infect the better. It should come as no surprise, therefore, that Digimine is targeted Facebook. Too many people willing click on anything that appears on their page. With the holiday season upon us and social media being bombarded with images and videos from a variety of sources, users need to be especially aware of the risk of malware.
