Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > Trojan Disguised as Trend Micro Component Drops Bitcoin-Mining Malware

    Malware writers have devised lots of social engineering tactics to lure users into their scheme. This time around, we saw a Trojan passing itself off as a Trend Micro component as a way to trick users into downloading and executing it.

    We recently encountered a file and noticed the following properties (see below). For the untrained eye, this file can be mistaken as a Trend Micro product/component. But during our analysis, we verified this file as a Trojan in disguise. We believe that by spoofing Trend Micro properties, the people behind this threat are hoping to trick unwitting users into executing the file. This malware is already detected by Trend Micro as TROJ_RIMECUD.AJL.

    When user executes TROJ_RIMECUD.AJL, it creates the process svchost.exe where it injects its malicious code. Once done, the malware downloads a component package (refer to Figure 2).

    This downloaded package contains a bitcoin miner application created by Ufasoft. We detect this bitcoin app as HKTL_BITCOINMINE.

    Bitcoin is considered digital currency and can be used to pay certain transactions online. This attack is timely because of the news that Bitcoin Central has been approved by the law to function as a bank where exchange from Euro and Bitcoins are now possible.

    For the past years, there have been cases wherein systems are infected with Bitcoin-mining malware and turning them into unwilling “miners”.  In turn, these (systems) churn Bitcoins for the benefit of the bad guys while the affected users are left in the dark.  Besides generating profit for its authors, this malware consumes too much of the system’s resources. In sudden slowdown of the system always check your running processes and search for unknown running application. This occurrence maybe caused by a possible infection of Bitcoin mining activity.

    To avoid becoming victim to this scheme, users must be extra-cautious when downloading applications, files found on the internet. Better yet, refrain from visiting unknown websites and clicking ads or shortened URLs contained in email messages from unverified sources.

    To know more about the threat that certain bitcoin mining apps pose, check out our previous blog posts below:

    The Trend Micro Smart Protection Network™ detects and deletes TROJ_RIMECUD.AJL and HKTL_BITCOINMINE, if found on user’s system.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Friday, December 7th, 2012 at 1:17 pm and is filed under Malware . Both comments and pings are currently closed.



    • Black AM

      Bit shitty to add “hack tool” def for a legitimate application due to misuse by some cretins. Far better to label as not.a.virus or potentially unwanted application.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice