Virus Video_6447.zip Or Digmine Cryptocurrency Miner

Profile image for officialzubairansari
January 1, 2018 | Views: 4205

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Attention: Someone could be misusing your computer as a source of power to make money!

If anyone trusted a friend of yours from Facebook and they sent you a video file (with a zipped archive) to you on messenger just don’t click on it. Because anyone can mine cryptocurrency by using your one click.

But there is a little question you may ask: How can they access PC’spc’s power and how can they use our PC’s power?

A researcher from Trend Micro says that the virus video_6447.zip is spreading through Facebook messenger and targeting google chrome desktop users to take advantage of recent surges in cryptocurrency prices. The Monero-cryptocurrency mining bot disguises as a non-embedded video file named video_xxx.zip or video_6447.zip as you can see at the screenshot.

Remember, this is not a video file actually it has a lot of auto executable scripts which are actually agents for the attacker.

Once you click on that file (video_xxx.zip) it starts its task to infect victims’ computers. Components are downloaded and related configuration files from a remote command-and-control (C & C) server. Digimine, primarily, installs a cryptocurrency miner, i.e crypto_miner.exe which is a modified version of an open-source monero miner known as XMRig-which silently mines the Monero cryptocurrency in the background of your computer. The hackers do this by using the power of your computer or infected machine. As you can see graphically here:

Besides the cryptocurrency miner, the Digimine bot also installs an AutoStart mechanism and lunch chrome with a malicious extension that can allow hackers or attackers to access Facebook profiles and spread that virus to send compromised account’s friend list via messenger.

Many of you that use chrome extensions can only install using the Chrome web store. No just anyone can upload malicious extensions on the Chrom web store, but they are hackers and they can accomplish anything they put their minds to. So, they bypassed this by launching chrome (loaded with the malicious extension) via the command line.

“The extension ill read its own configuration from the C&C server. It can instruct the extension to either proceed with logging with Facebook or open fake page that will play a video.
The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also hold a lot of the configuration for the malware’s component,” Trend Micro researchers say.

But fortunately, this malicious video file cannot be executed on the messenger mobile app so it cannot effect mobile devices if wrongly clicked. Since the miner is controlled by the attacker (hackers) from a C&C server. Attackers behind Digiminer can upload and update different malicious functionalities remotely.

Digiminer was 1st spread in some major countries like South Korea , Vietnam , Azerbaijan , Ukraine , Philippines , Thailand , etc. But now it’s spreading globally using Facebook platformism Facebook user from my  respected country Pakistan also effected by this virus.

TIPS: Self-awareness is first and important patch for everything then 2nd is a little tip if you click or affected by this link is :
1) Remove unknown extension from chrome.
2) Update you chrome with a newer version.
3) Check for unknown application, uninstall if found.
4) Update operating system for patches (If possible)
5) Use paid Antivirus to scan your computer completely for satisfaction.

Recourse: Trend Micro – http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
8 Comments
  1. Thanks for the info .. i was infected by that virus too when i was expecting one of my friend to upload a file for our project ..bad too late . when i read this i have already fixed the problem a couple minutes when i was infected.
    ..
    i have a little screenshot of the other miner here :
    https://imgur.com/a/7HJbJ
    ..
    i could have share the config but i edited(to blank) and deleted it right away because of panic.

  2. Please guys, this is a reputable site, before you post, read the Article and make sure it makes sense before posting. Just too many errors in this Article but a good article non the less. Just a thought.

  3. nice article👍

  4. Yeah Brow Team Cybrary Read My Artical then published it On Cybrary.
    Does i have any mistake?

  5. Does anyone actually reads the post before going live ?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

How to Evade AV with OWASP-ZSC – Part 1
Views: 339 / January 20, 2018
Tracking IP info with its Metadata
Views: 1008 / January 19, 2018
UNMASKED: Skygofree, FISA, and Google
Views: 670 / January 19, 2018
Error Based Injection
Views: 1616 / January 18, 2018
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel