• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Malicious Links on Twitter Lead to Bitcoin Mining

Malicious Links on Twitter Lead to Bitcoin Mining

  • Posted on:September 4, 2011 at 1:37 pm
  • Posted in:Bad Sites, Malware, Social
  • Author:
    Paul Pajares (Fraud Analyst)
3

Web Reputation Services (WRS) encountered spammed malicious shortened URLs on Twitter that appear to contain a .JPEG file from a Facebook domain. The said .JPEG file is, in fact, not a picture file but an executable file already detected by Trend Micro as WORM_KOLAB.SMQX. Searching for the image file using Twitter‘s search function reveals an updated list of users who Tweeted the same malicious link.

Clicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to facebook.com.{BLOCKED}e-505.tk . It contains the downloadable file http://{BLOCKED}f.by /images/news/Photo-G05971.jpeg.exe, which is included in the frame set of facebook.com.{BLOCKED}e-505.tk. Since September 2 2011, approximately 600 Tweets using the same link have been posted.

Click for larger view

When users post a Tweet, it is followed by the malicious link, http://www.facebook.com.{BLOCKED}e-505.tk/Photo-G05971.jpeg, with the text “hahaha!!!” It is also used in the re-Tweet and reply feature of Twitter.

Click for larger view

What happens after running the malicious file? Upon checking Local Settings, we found that the file creates a directory named aaa with the following files:

  • 3kal.cmd: A batch file that contains the command for executing mamatije2.exe.
  • hsbca.exe: A normal file (Hidden Start v3.2).
  • mamatije2.exe: Already detected as HKTL_BITCOINMINE.
Click for larger view

The file mamatije2.exe is a Bitcoin miner that connects to the malicious link http://y.{BLOCKED}ame:8332/ using the user name mrdd_ludacha and the password mama1. The login credentials don’t work and display a bad request (HTTP 400). Bitcoins are digital coins or a virtual currency you can send through the Internet via peer-to-peer (P2P) sharing. Bitcoins are generated over the Internet by running a free Bitcoin miner application.

Apart from the other Tweets, it will connect to other malicious sites, which host the following malicious files:

  • http://robertpattinson.{BLOCKED}ion.org/pictures/Calc-3-9-2011.jpeg: Detected by Trend Micro as HKTL_BITCOINMINE.
  • http://{BLOCKED}alokab.go.id/images/news/JohnLennon-Imagine.exe: Detected as WORM_KOLAB.SMQX.

Notice that it uses the names of famous personalities like Robert Pattinson and John Lennon.

All related URLs are already being blocked and all files are already being detected as WORM_KOLAB.SMQX by the Trend Micro Smart Protection Network.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.