VPNの脆弱性に関する不安が広がっています。ZPAの60日間無料トライアルを利用して、VPNからの移行のメリットをお確かめください。

Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
セキュリティリサーチ

Bitcoin Mining Operation Seen Across Numerous Malware Families

image
CHRIS MANNON
12月 13, 2013 - 3 分で読了
The talent over at Malwarebytes broke a story this week regarding Fake Flash Player phishing attempts dropping malicious content onto victim machines for the purpose of mining Bitcoins.  The threat tricks users into thinking that they are downloading a new version of Flash Player.  In actuality, the threat drops a few malicious executables (stored in "[username]/AppData/Roaming/Data"), called Control.exe and svchost.exe.  Once the threat is up and running, it communicates over a specific port for the purposes of mining Bitcoins. 

I did some digging of my own to see if there are other such instances of phishing attacks made by this threat.  I found a variant as described in MalwareBytes blog based on the dropped files and the string ".pw/blam/flashplayerv".  The end result was an additional 21 files which display similar network traffic patterns as those mentioned in the companion blog.
  The network patterns which I'm matching on is any executable which makes a connection to  178[.]33[.]111[.]19 on port 9000.  I gathered packet captures for many of these threats phoning home in this way.  The results were overwhelming identical as seen below:
 
Image

The conclusion we can reach is that Bitcoin mining is proving to have reached a point where it is profitable enough to be on the radar for scammers.  Administrators should take note of the traffic patterns mentioned here and monitor for similar transactions.  It should also be stated that the above list contains some still active download locations for this threat, and that the VT results can be confusing.  All of the MD5s mentioned above are detected across the board as different threats ranging from InfoStealers to Backdoor trojan droppers.  This shows that regardless of the initial focus of the malicious executable, bitcoin mining is still a profitable enough for scammers to bundle into their ill-gotten gains.
form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

dots pattern

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。