Phone: 028 6290 8818

/// news/events

news/events > Bitcoin malware not just limited to Skype and Bitcoin mining - uncovers Cyberoam Threat Research Labs

Cyberoam, the leading global network security appliances company, today announced its Threat Research Labs (CTRL) has identified unreported truths on the Bitcoin mining malware that targets Skype users. Last week has seen several news articles being published following the malware’s ongoing campaign on Skype. Moreover, a slew of conversations among security industry community on this digital currency stealing malware planting botnets to work in bitcoin mining are on. Findings from Cyberoam Threats Research Labs go beyond this and divulge the modus-operandi adopted by the cyber attackers behind this malware while also providing insightful evidence on other risks that are not limited to Bitcoin mining alone.

“Recent reports on the malware saying the threat is aimed at building a botnet to mine bitcoins using the CPU resources of victimized computers is only half the story”, says Bhadresh Patel, lead vulnerability researcher at CTRL.  “Our threat research team ran a detailed investigation and also allowed the malware to become fully active, letting it achieve reasonable degree of infection on test systems. With this approach, CTRL threat analysts have succeeded in conducting deep analysis of the malware and its latent threat potential while uncovering several other risks that have not been reported yet”, he adds further.
Behind the scenes investigation on Bitcoin mining malware revealed by CTRL
The malware spreads over Skype using a shortened Google URL that has a cleverly placed suffix right at the end, which represents a non-existent image file. E.g. a Skype user is prompted with a link, which is accompanied by a message such as “tell me what you think of this picture I edited”. Here, the purpose behind placing a reference to an image file instead of an ‘.exe’ file is only to lure the Skype user to access / follow the link. This provides striking evidence into how cyber criminals are analyzing internet users’ awareness and application usage behavior to make them fall prey to mind-games
Discussions on this malware’s activity have so far focused only on its capability to propagate Skype messages and initiate Bitcoin mining; however, CTRL has identified that lot more potential risks are involved. CTRL research succeeded in investigating the attacker’s modus operandi by being able to access the attacker’s malware hosting server. CTRL investigation found that besides Bitcoin mining, several other risks were present on the server. Some of these include,
Propagation of the malware using “Spamming”
Involvement of other remote malware hosting serves located in destinations such as Russia, to enhance the threat potential of the malware. CTRL, upon performing further exploration on these remote servers learned that such servers have recently updated malware samples, which would allow such threats to enjoy low detection rate
A threat instance namely ‘ppc.exe’, capable to trigger identity threat attacks was also found. CTRL analysis in this latent threat revealed that it uses third-party IP geo-location database to identify the victim’s location, organization, connection speed, and user type, aimed at stealing the victim’s identity
Further investigating from the CTRL (after allowing full infection to prevail on test systems) to study the attacker’s mindset revealed that upon rebooting a fully infected system, the victim is presented with a false message from a resident ransomware (also known as cryptotrojan), seeking ransom to disinfect the system
CTRL also clinched a break-through evidence by being able to capture and dissect a PHP Shell on the malware hosting server; further investigation into this evidence revealed that this Shell allows the attacker to manage threat activities and malware samples
Moreover, CTRL also learned that the attacker is using a shell script to automatically update malware binaries, saving substantial time to remain actively invested in augmenting the malware’s capability
Visit Cyberoam Blog for exclusive screen-captures and detailed process revealed by CTRL researchers.
“Cyberoam Threat Research Labs believes in going beyond the obvious threat to extract comprehensive and insightful findings as appears from this investigation. In the wake of growing outbreak of advanced malware attacks, CTRL aims at conducting more thorough investigations into the likely motive and hidden threat potential of such attacks”, informs Abhilash Sonwane, Sr. Vice President - Product Management, Cyberoam.
As a responsible threat research squad, CTRL finds it an imperative to go beyond finding emerging potential threats and aims at providing insightful investigation into how advanced threats are engineered and imagined around today’s internet usage and apps.
About Cyberoam Threat Research Labs
Cyberoam Threat Research Labs (CTRL) identifies security threats and protects Cyberoam customers against various vulnerabilities such as malware attacks by publishing security upgrade and research reports. Such reports help Cyberoam customers remain protected with detailed guidance and malware threat prevention advice using appropriate configuration of parameters on Cyberoam appliances. During the last year, CTRL had researched over 138 vulnerabilities and released suitable signatures protection for extending appropriate security protection to customers.
About Cyberoam Technologies Private Limited
Cyberoam Technologies Private Limited is a global Network Security appliances company, offering security solutions for the networks of the future, with its innovative technologies. Cyberoam’s Identity-based Unified Threat Management appliances integrate multiple security features like stateful inspection firewall, VPN, Intrusion Prevention System, Gateway Anti-Virus/Anti-Spyware, Gateway Anti-Spam, Web Filtering, Application Visibility & Control, Web Application Firewall, Bandwidth Management and Multiple Link Management over a single platform. The virtual and hardware Cyberoam Central Console appliances offer Centralized Security Management options to organizations, while Cyberoam iView allows intelligent logging and reporting with one-of-their-kind, in-depth reports. Cyberoam is accredited with prestigious global standards and certifications like CheckMark UTM Level 5 Certification, ICSA Labs, IPv6 Gold logo, and is a member of the Virtual Private Network Consortium. It has offices in US and India. For more information, please visit

Head Office
Floor 5, PaxSky Building, 123 Nguyen Dinh Chieu Street, Ward 6, Dist 3, HCMC, VietNam.
Tel: 028 6290 8818 - Fax: 028 6290 8828
user(s) online
Copyright 2013 GSNET Technologies Pvt. Ltd. All Rights Reserved. Designed by GTS