By: Zubair Ansari
January 1, 2018
Virus Video_6447.zip Or Digmine Cryptocurrency Miner
By: Zubair Ansari
January 1, 2018
Attention: Someone could be misusing your computer as a source of power to make money!
If anyone trusted a friend of yours from Facebook and they sent you a video file (with a zipped archive) to you on messenger just don’t click on it. Because anyone can mine cryptocurrency by using your one click.But there is a little question you may ask: How can they access PC'spc’s power and how can they use our PC’s power?A researcher from Trend Micro says that the virus video_6447.zip is spreading through Facebook messenger and targeting google chrome desktop users to take advantage of recent surges in cryptocurrency prices. The Monero-cryptocurrency mining bot disguises as a non-embedded video file named video_xxx.zip or video_6447.zip as you can see at the screenshot.Remember, this is not a video file actually it has a lot of auto executable scripts which are actually agents for the attacker.Once you click on that file (video_xxx.zip) it starts its task to infect victims' computers. Components are downloaded and related configuration files from a remote command-and-control (C & C) server. Digimine, primarily, installs a cryptocurrency miner, i.e crypto_miner.exe which is a modified version of an open-source monero miner known as XMRig-which silently mines the Monero cryptocurrency in the background of your computer. The hackers do this by using the power of your computer or infected machine. As you can see graphically here:Besides the cryptocurrency miner, the Digimine bot also installs an AutoStart mechanism and lunch chrome with a malicious extension that can allow hackers or attackers to access Facebook profiles and spread that virus to send compromised account’s friend list via messenger.Many of you that use chrome extensions can only install using the Chrome web store. No just anyone can upload malicious extensions on the Chrom web store, but they are hackers and they can accomplish anything they put their minds to. So, they bypassed this by launching chrome (loaded with the malicious extension) via the command line."The extension ill read its own configuration from the C&C server. It can instruct the extension to either proceed with logging with Facebook or open fake page that will play a video.The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also hold a lot of the configuration for the malware’s component,” Trend Micro researchers say.But fortunately, this malicious video file cannot be executed on the messenger mobile app so it cannot effect mobile devices if wrongly clicked. Since the miner is controlled by the attacker (hackers) from a C&C server. Attackers behind Digiminer can upload and update different malicious functionalities remotely.Digiminer was 1st spread in some major countries like South Korea , Vietnam , Azerbaijan , Ukraine , Philippines , Thailand , etc. But now it’s spreading globally using Facebook platformism Facebook user from my respected country Pakistan also effected by this virus.
TIPS: Self-awareness is first and important patch for everything then 2nd is a little tip if you click or affected by this link is :1) Remove unknown extension from chrome.2) Update you chrome with a newer version.3) Check for unknown application, uninstall if found.4) Update operating system for patches (If possible)5) Use paid Antivirus to scan your computer completely for satisfaction.
Recourse: Trend Micro - https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/