What are dangerous social networks on your PC?

Researchers at Trend Micro discovered a new cryptocurrency bot miner that spreads through Facebook Messenger. It was first spotted in South Korea and given the nickname Digmine. Digmine was also spreading in other regions, such as Vietnam, Azerbaijan, Ukraine, Vietnam, the Philippines, Thailand and Venezuela.

Facebook Messenger works on different platforms, but Digmine is dangerous only for the desktop / web browser version. If you open the file on other platforms, such as mobile devices, the malware will not work properly.
')
To create Digmine, AutoIt is used — a free language for automating task execution in Microsoft Windows. The file is sent to potential victims in the form of a video file, but is actually an executable script on AutoIt. If a Facebook user account is configured to automatically log in, Digmine will use the victim's Facebook Messenger to send a link to the file to the user's friends. At the moment, the bot is only engaged in the spread of malware. Later, the functionality can be updated by changing the code using the C & C server (command-and-control).

For successful operation of botnets for mining cryptocurrencies and, in particular, Digmine, which produces Monero, attackers need to stay in the victim's system as long as possible. The virus also needs to infect as many machines as possible, as this leads to an increase in hashrate and potentially to a greater criminal income.


Figure 1: Digmine attack chain


Figure 2: Digmine link sent via Facebook Messenger

Chain of infection

Digmine is a bootloader that first connects to a C & C server to get multiple components. The initial configuration contains links from which components are downloaded. Most of them are also hosted on the same C & C server. It saves the loaded components in the% appdata% \ username directory.




Figure 3: Configuration and loaded components

Digmine will perform other procedures, such as adding a startup to the registry, running Chrome, and installing a malicious browser extension, which will be received from the C & C server. If Chrome is already running, the malware will shut down and restart. Although extensions can only be downloaded from the Chrome Web Store, attackers bypassed this limitation by running Chrome (with a malicious extension) via the command line.




Figure 4: Digmine bootloader component in the autorun registry entry (top) and a marker indicating that the malware has infected the system (bottom)




Figure 5: Rebooting Chrome to load the extension (below)

The C & C server can either instruct to extend the current configuration, or open the page where the video will play.

The lure site that plays video also serves as part of the C & C structure. This site looks like a regular video streaming service, but also contains many configurations for malware components.


Figure 6: Screenshot of the site used to play the video as bait


Figure 7: Initial setup used by the browser extension

Spread

The browser extension is responsible for distribution through interaction with Chrome, as well as through Facebook Messenger. If the user has a Facebook account that is logged in by default, the browser extension can interact with that account. Digmine's interaction with Facebook may become wider in the future, since attackers can add functionality remotely.


Figure 8: Part of the additional code received from the C & C server that allows you to manipulate your Facebook account

Component for mining

The miner module is loaded using codec.exe. It will connect to another C & C server to receive the configuration file and the miner program.

The miner.exe component is an open source version of Minero Miner, known as XMRig. It was reconfigured for mining using the config.json file instead of getting parameters directly from the command line.




Figure 9: Miner configuration (above) and codec.exe code that starts the Miner component (below)

Communication and protocol

Certain HTTP headers are used to communicate with the C & C server. When loading the original configuration, the malware creates an HTTP GET request before sending it to the C & C server:



It should be noted that malware uses a specific User-Agent - Miner. Access to the original configuration file is denied if the HTTP request header is invalid.

Best practics

The increasing popularity of mining cryptocurrency attracts attackers to illegal mining botnet creation activities. As with other cyber-crime schemes, numbers are crucial. Large pools of victims mean potentially large profits. Therefore, it is not surprising that infection spreads through popular platforms such as multi-million social networks and instant messengers. Since users often use them to communicate during working hours, this can negatively affect the information security of the corporate IT infrastructure.

Trend Micro revealed the results of Facebook research, which quickly removed many of the Digmine related links. Facebook's official statement says

“We use a number of automated systems that help stop the appearance of malicious links and files on Facebook and in Messenger. If you suspect that your computer is infected with malware, we will give you a free anti-virus scan from our partners. We talk about how to stay safe on facebook.com/help. "

Below are the compromise indicators associated with this attack (IoCs):

TROJ_DIGMINEIN.A (SHA256);
beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d

BREX_DIGMINEEX.A (SHA256):
5a5b8551a82c57b683f9bd8ba49aefeab3d7c9d299a2d2cb446816cd15d3b3e9

TROJ_DIGMINE.A (SHA256):
f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909

C & C servers related to Digmine (including subdomains):
vijus [.] bid
ozivu [.] bid
thisdayfunnyday [.] space
thisaworkstation [.] space
mybigthink [.] space
mokuz [.] bid
pabus [.] bid
yezav [.] bid
bigih [.] bid
taraz [.] bid
megu [.] info

Other articles of our blog:
→ Clouds from an unknown country. Cloud FAQ
→ PD operators errors related to personnel work
→ Compare what you can not: cheap hosting and cloud on the VMware stack
→ Children - ice cream, information system - backup
→ FAQ on integration with ESIA