Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising
Remember the malvertising campaigns in the early days where are adverts showing you are the nth visitor, and you have a prize to claim for being the coveted nth visitor on a website? Of course these days the chance of seeing a Flash-based animated advert like that, since Google Chrome itself autoblocks scam-like adverts by default as part of the Google Safe Browsing initiative, which Firefox browser also features. The demise of malvertising through adverts does not end with the anemic Flash-based variants though, as cybercriminals are now using Bitcoins (well, sort of people’s desire for it) to convince people when they visit a dodgy website controlled by them.
Imagine that a malvertising website offers its visitor a $30 worth of Bitcoin, not that huge but with enough “visits” may enable someone to afford some stuff in eBay or an Amazon gift card-level of a prize. However, this malvertising website installs keyloggers, banking trojans or ransomware which will harm the victim at a later time. Another similar but unrelated number of websites offer referral prize in Ethereum (another cryptocurrency alternative to Bitcoin), with one website claiming that successful users who can refer 1,000 visitors to the website will earn him/her $750 worth of Ethereum.
Both websites offer a download they call “Bitcoin Collector” which claims to be an easy mining program for Windows, which will provide “free Bitcoins” for the user, but instead caused the computer to mine cryptocurrency instead for the author at the expense of the user. One of the most common trojan horse of this category is one named BotCollector.exe, often comes from a .zip file downloaded from a malvertising website.
“When you execute the included BotCollector.exe, it will launch a program called ‘Freebitco.in – Bot’ that does not appear to do much. In reality, though, this is a Trojan that pretends to be a bitcoin generator but simply launches a malware payload. It does this by copying a file at geobazepatchlogo.png to logo.exe and executing it (planting itself deep into the Windows operating system)”, explained Lawrence Abrams of Bleepingcomputer.com.
BotCollector.exe was previously observed to carry a different behavior, it used to be the main payload for the ransomware named “Marozka Tear”. Being unsophisticated ransomware, Marozka Tear’s author used a public free Gmail account ([email protected]) in order for its victim to contact him/her for the payment of the ransom instead of having a sophisticated “shopping cart” for collecting payments. The Bleepingcomputer team stopped the ransomware from being profitable with their release of a free decryptor program that reverses the encryption of user files without paying Marozka Tear’s author.
At the time of this writing, the two hidden payloads of the new variant of BotCollector that have not yet fully dissected by the BleepingComputer team. But initial checks show it can be compared to a full-blown espionage-type of malware that can record keystrokes, take screenshots, capture browser history, sends any user files to its author and even the capability to copy the information of a crypto wallet.