430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Potentially Unwanted Programs secretly serve Bitcoin miner

Security experts at Malwarebytes discovered Potentially Unwanted Programs like Toolbars and Search Agents that installed Bitcoin miners on user’s PC The value of the Bitcoin for a few days has passed the psychological threshold of one thousand dollars, confirming its growth trend, the attention in the virtual currency scheme is at the highest levels and […]

Potentially Unwanted Programs secretly serve Bitcoin miner

Security experts at Malwarebytes discovered Potentially Unwanted Programs like Toolbars and Search Agents that installed Bitcoin miners on user’s PC

The value of the Bitcoin for a few days has passed the psychological threshold of one thousand dollars, confirming its growth trend, the attention in the virtual currency scheme is at the highest levels and cybercriminals are exploiting new ways to monetize the unprecedented surge.
Bitcoin USD value

Blackmarket is proposing new exploit kits, like Atrax, that could be used to infect victims with the purpose to steal Bitcoin wallets or to abuse of the computational resources of the victims for Bitcoin mining.

Recently security experts at Malwarebytes alerted the security community on the diffusion of Potentially Unwanted Programs (PUPs) including search agents and Toolbars, that are bundled with malware having mining capabilities.

“This time, however, we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.” states the blog post on Malwarebytes website.

The experts have discovered a malware instance that utilizes victims’ computing resources for Bitcoin mining, in particular it uses ‘jhProtominer’ a popular mining software that runs via the command line, to abuse the CPUs and GPUs of the infected machine.

On November  22th researchers at Malwarebytes received a request for assistance from users about an anomalous behavior of a file, titled “jh1d.exe” that was taking up 50% of the system resources. The file in reality was the Bitcoin Miner “jhProtominer”. The experts also discovered that jhProtominer wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe”, Monitor.exe was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT.

Upon further investigation Malwarebytes experts have found a link between WBT and Mutual Public thanks to an entry in the  Sarasota Business Observer.

Bitcoin mining
“monitor.exe” is a component of YourFreeProxy application, which “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.”
Resuming the experts collected the proof that a PUP is installing Bitcoin miners on users systems, but the concerning issue is that they do it providing ambiguous information in the EULA proposed to the victims. The Eula in fact specifically covers a section on Computer Calculations describing a series of operations similar to the actions of a Bitcoin Miner.

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

Practically the user is advised that the company behind the PUP can and will install an application for Bitcoin mining keep the rewards for itself.
The increased popularity of Bitcoin will motivate the cybercrime industry to produce new and even more sophisticated miners and wallet stealers, it is highly recommended to install proper defense systems and to keep PC and applications updated.

Pierluigi Paganini

(Security Affairs –  Bitcoin miner, malware)