A newly discovered malware variant is trying to trick users that it is not a threat by passing itself off as a component of Trend Micro, a security firm that sells security solutions. Furthermore, the Trojan drops a Bitcoin miner application to make the malware author money.
While threats trying to play themselves off as security solutions is nothing new, and neither are Bitcoin miners dropped by Trojans, putting the two together appears to be something new. Trend Micro discovered the malware and detects it as TROJ_RIMECUD.AJL.
The social engineering tactic used by the cybercriminals in this case is very simple: lure users into executing the threat by making them believe the file belongs to a Trend Micro product. The attackers spoof Trend Micro properties like so:
When the user executes the Trojan, it creates the process svchost.exe (the same name as the Windows processes for services, a further attempt to hide itself) to download a second malicious component package. This second package contains a Bitcoin miner application created by Ufasoft, which Trend Micro detects as HKTL_BITCOINMINE.
For those who don’t know, Bitcoin is a decentralized digital currency, currently the most-widely used alternative to common forms of money. Because it has no central issuer, it has no single authority and thus no way to lock out certain users (or countries) out of the network. It can be used to pay for certain transactions both offline and online.
Bitcoin mining nodes are responsible for managing the Bitcoin network; Bitcoins are awarded to nodes known as miners for the solution to a difficult proof-of-work problem. The point of Bitcoin-mining malware is to use a computer’s resources to, without the user’s knowledge, mine Bitcoins. The cybercriminals then use these Bitcoins to generate a profit, while the victims computers slow down or become unusable.
Trend Micro gives the following advice:
To avoid becoming victim to this scheme, users must be extra-cautious when downloading applications, files found on the internet. Better yet, refrain from visiting unknown websites and clicking ads or shortened URLs contained in email messages from unverified sources.
Image credit: Christa Richert