March 3, 2021

Bitcoin malware not just limited to Skype and Bitcoin mining – uncovers Cyberoam Threat Research Labs

Nearly 350K users have unwittingly downloaded the malware through Skype and Gtalk


Cyberoam, the leading global network security appliances company, today announced its Threat Research Labs (CTRL) has identified unreported truths on the Bitcoin mining malware that targets Skype users. Last week has seen several news articles being published following the malware’s ongoing campaign on Skype. Moreover, a slew of conversations among security industry community on this digital currency stealing malware planting botnets to work in bitcoin mining are on. Findings from Cyberoam Threats Research Labs go beyond this and divulge the modus-operandi adopted by the cyber attackers behind this malware while also providing insightful evidence on other risks that are not limited to Bitcoin mining alone.

“Recent reports on the malware saying the threat is aimed at building a botnet to mine bitcoins using the CPU resources of victimized computers is only half the story”, says Bhadresh Patel, lead vulnerability researcher at CTRL.  “Our threat research team ran a detailed investigation and also allowed the malware to become fully active, letting it achieve reasonable degree of infection on test systems. With this approach, CTRL threat analysts have succeeded in conducting deep analysis of the malware and its latent threat potential while uncovering several other risks that have not been reported yet”, he adds further.

Behind the scenes investigation on Bitcoin mining malware revealed by CTRL

The malware spreads over Skype using a shortened Google URL that has a cleverly placed suffix right at the end, which represents a non-existent image file. E.g. a Skype user is prompted with a link, which is accompanied by a message such as “tell me what you think of this picture I edited”. Here, the purpose behind placing a reference to an image file instead of an ‘.exe’ file is only to lure the Skype user to access / follow the link. This provides striking evidence into how cyber criminals are analyzing internet users’ awareness and application usage behavior to make them fall prey to mind-games

Discussions on this malware’s activity have so far focused only on its capability to propagate Skype messages and initiate Bitcoin mining; however, CTRL has identified that lot more potential risks are involved. CTRL research succeeded in investigating the attacker’s modus operandi by being able to access the attacker’s malware hosting server. CTRL investigation found that besides Bitcoin mining, several other risks were present on the server. Some of these include,

Propagation of the malware using “Spamming”

Involvement of other remote malware hosting serves located in destinations such as Russia, to enhance the threat potential of the malware. CTRL, upon performing further exploration on these remote servers learned that such servers have recently updated malware samples, which would allow such threats to enjoy low detection rate

A threat instance namely ‘ppc.exe’, capable to trigger identity threat attacks was also found. CTRL analysis in this latent threat revealed that it uses third-party IP geo-location database to identify the victim’s location, organization, connection speed, and user type, aimed at stealing the victim’s identity

Further investigating from the CTRL (after allowing full infection to prevail on test systems) to study the attacker’s mindset revealed that upon rebooting a fully infected system, the victim is presented with a false message from a resident ransomware (also known as cryptotrojan), seeking ransom to disinfect the system

CTRL also clinched a break-through evidence by being able to capture and dissect a PHP Shell on the malware hosting server; further investigation into this evidence revealed that this Shell allows the attacker to manage threat activities and malware samples

Moreover, CTRL also learned that the attacker is using a shell script to automatically update malware binaries, saving substantial time to remain actively invested in augmenting the malware’s capability

Visit Cyberoam Blog for exclusive screen-captures and detailed process revealed by CTRL researchers.

“Cyberoam Threat Research Labs believes in going beyond the obvious threat to extract comprehensive and insightful findings as appears from this investigation. In the wake of growing outbreak of advanced malware attacks, CTRL aims at conducting more thorough investigations into the likely motive and hidden threat potential of such attacks”, informs Abhilash Sonwane, Sr. Vice President – Product Management, Cyberoam.

As a responsible threat research squad, CTRL finds it an imperative to go beyond finding emerging potential threats and aims at providing insightful investigation into how advanced threats are engineered and imagined around today’s internet usage and apps.