Hundreds of Facebook users got infected with a new Trojan secretly using their systems to mine for Bitcoins, the virtual currency that spread a global money-making fever, Bitdefender warns. Since spotted last week, the malware has seen infections in countries such as Portugal, Belgium, India, Romania and Serbia.
The virus spreads through private Facebook messages, received from one of the victimâ€™s trusted Facebook friends. It reads â€œhahahaâ€ and contains an archive called IMAG00953.zip with what seems to be a legitimate .jpg image file. It is actually a malicious Java jar file, which is executed on the machine when the user opens it.
The file contains Java code which downloads DLL files from a pre-defined Dropbox account. Once the DLLs are downloaded, they connect to a command and control server that sends back a message, as well as a base64-encoded payload (shellcode). The message reads:
â€œHello people.. :) <!– Designed by the SkyNet Team –> but am not the f*****g zeus bot/skynet bot or whatever piece of s**t.. no fraud here.. only a bit of mining. Stop breaking my b***z..
The text in no way enhances how the malware works â€“ itâ€™s just a funny disclaimer for any analyst listening to the client-server conversation. The received shellcode, however, is injected into Windows Explorer and executed. It triggers the download of a secondary DLL from a hardcoded location. This DLL embeds, among others, the Bitcoin miner that will start the mining process meant to produce money for the cyber-crooks.
Bitcoin mining is a small fraction of the entire affair. Cyber-criminals can modify the shellcode once every couple of hours. They can push other types of malware without the victimâ€™s knowledge or intervention, depending on what they have in mind with their PCs.
Bitdefender blocks the malware so it canâ€™t misuse the victimâ€™s system resources and spam other Facebook users.
This article is based on the technical information provided courtesy of Victor Luncasu, Bitdefender Malware Researcher.