Digmine cryptocurrency bot attack via Facebook
by, Nilesh Bhakre December 27, 2017, at 7: PM- source:Trend Micro
The use of social networking sites such as Facebook is increased to spread malware, especially profitable crypto miner botnet.This miner botnet utilizes victims machine for cryptocurrency mining like bitcoin.This latest dig mine miner bot is discovered by Trend Micro.
It spreads via Facebook messenger, although facebook available on the various platform but it only infects via the desktop version with chrome browser, hence This botnet can not infect mobile devices.
INITIAL INFECTION VECTOR:
->AutoIt executable script act as video file
it is basically executable script written in autolt (automation programming language) which act as a video file.If the user's Facebook account is set to log in then it automatically sends video file link to the friends of related account.
INFECTION COMPONENT :
->Initially, Digmine is nothing more than downloader which connects to attackers C&C server(command and control) server then downloads various component.
->it saves downloaded components at %appdata% directory.
->t installs registry autostart mechanism.
->it will start chrome browser to load malicious chrome browser extension which retrieves from the c&c server using command line.
INFECTION PROPAGATION:
->the extension can be used to login facebook account automatically or open fake page to play a video file.
->the browser extension interacts with the facebook account.
Miner:
->miner is downloaded by codec.exe component, which in fact connects to another c&c to download another configuration file.
HOW TO PROTECT :
->Update your antivirus software to latest version.
->Logoff facebook on pc after use.
->Scan unknown file received from facebook before executing.
 |
It spreads via Facebook messenger, although facebook available on the various platform but it only infects via the desktop version with chrome browser, hence This botnet can not infect mobile devices.
INITIAL INFECTION VECTOR:
->AutoIt executable script act as video file
it is basically executable script written in autolt (automation programming language) which act as a video file.If the user's Facebook account is set to log in then it automatically sends video file link to the friends of related account.
INFECTION COMPONENT :
->Initially, Digmine is nothing more than downloader which connects to attackers C&C server(command and control) server then downloads various component.
->it saves downloaded components at %appdata%
->t installs registry autostart mechanism.
->it will start chrome browser to load malicious chrome browser extension which retrieves from the c&c server using command line.
INFECTION PROPAGATION:
->the extension can be used to login facebook account automatically or open fake page to play a video file.
->the browser extension interacts with the facebook account.
Miner:
->miner is downloaded by codec.exe component, which in fact connects to another c&c to download another configuration file.
HOW TO PROTECT :
->Update your antivirus software to latest version.
->Logoff facebook on pc after use.
->Scan unknown file received from facebook before executing.
Comments
Post a Comment