On the wave of mining. New virus distributed through Facebook
Just now, the girls were caught at work, the virus cell was funny, well, funny, they launched it, and he sent himself to all contacts. The file itself is an archive, with a name like video_ * a random set of digits *, and in the archive exe'shnik with a YouTube icon. And yes, virus-green.
The culprit of the celebration, of course, I plugged a virtual machine into thetest tube , for further experiments, and in the meantime I read news, where the info about the virus was already actively forced (Ukraine).
')
The funny thing is that some of the headlines featured something in the style of "How to remove a virus on Facebook," and it was described that they say you need to change your password and enable two-step authentication (yeah, it seems to help). But no one described the motives of the virus, it was sent to friends, someone launched and it went further, etc. etc.
In general, the Process Monitor was installed on the virtual machine (win 7) and the virus itself was actually launched. After launching, I was told that IE could not run the js script (haha), but the malware did not lose its head and launched chrome by trying to open a tab with facebook.
In Process Monitor, the creation of a new folder was discovered, lying in a very prominent place Users / IEUser / AppData / Roamin / with some kind of trending exe's name:
Oh, so we also have JSON there, let's take a look:
And so, what do we have? Miner for Monero (cryptocurrency), the very name of the miner XMRig (source code in open access to github).
Actually, if you look for someone to whom it is mined, then you can go to the github profile where you can see that the user recently forked this miner, as well as a couple of interesting repositories, in the style of “ua-parser-js”, which definitely adds puzzle pieces and leads to certain thoughts.
Whether it is a dummy person or not, who knows.
That's all I wanted to say.
The culprit of the celebration, of course, I plugged a virtual machine into the
')
The funny thing is that some of the headlines featured something in the style of "How to remove a virus on Facebook," and it was described that they say you need to change your password and enable two-step authentication (yeah, it seems to help). But no one described the motives of the virus, it was sent to friends, someone launched and it went further, etc. etc.
In general, the Process Monitor was installed on the virtual machine (win 7) and the virus itself was actually launched. After launching, I was told that IE could not run the js script (haha), but the malware did not lose its head and launched chrome by trying to open a tab with facebook.
In Process Monitor, the creation of a new folder was discovered, lying in a very prominent place Users / IEUser / AppData / Roamin / with some kind of trending exe's name:
Oh, so we also have JSON there, let's take a look:
And so, what do we have? Miner for Monero (cryptocurrency), the very name of the miner XMRig (source code in open access to github).
Actually, if you look for someone to whom it is mined, then you can go to the github profile where you can see that the user recently forked this miner, as well as a couple of interesting repositories, in the style of “ua-parser-js”, which definitely adds puzzle pieces and leads to certain thoughts.
Whether it is a dummy person or not, who knows.
That's all I wanted to say.
Source: https://habr.com/ru/post/345070/
All Articles