Phishers pose as Cloudhashing to steal your Bitcoins

Bitcoins and Bitcoin mining are a very captivating subject for anyone interested in the popular digital currency.

There are always new developments and a touch of mystery (last week we heard rumours that someone was threatening to expose Bitcoin founder Satoshi Nakamoto).

A few days ago, a suspicious email was forwarded to me that appeared to be sent from Cloudhashing, one of the largest Bitcoin mining companies.

: Image courtesy of: http://goo.gl/hppD1h

Cloudhashing

sells contracts

to mine for bitcoins using its

cloud

-based computer network located in Iceland.

Subject: Invoice 764 Date: Tue, 9 Sep 2014 04:59:01 +1100 From: CloudHashing  To: {redacted}Invoice Payment Confirmation
Kind regards
Mobile: +1 (510) 973-1050 Phone: +1 (530) cloudhashing Fax: +1 (510) 573-2760 Technology IQ Ltd. 11130 Jollyville Rd. Ste. 304 Austin TX 78759

The email contained a so-called invoice payment confirmation (Invoice_764.jar) as an attachment. This is not your ‘typical’ invoice file format though, as it turns out to be a Java applet:

Applets can run like any other type of executables provided you have Java installed on the system. So we decided to execute this file in a controlled environment to better understand its purpose.

The Javaw.exe process is invoked and creates a copy of the applet under AppDataRoamingWindowsWindows.Kh8

However, the file is hidden with a rootkit-like technique. We used a dual-boot (Windows-Linux) box to expose this clever technique (you could use a Live CD to boot your PC from and then check your drive).

On Windows, the rookit is active and hides the Windows.Kh8 file (the applet) while on Linux the rookit is not active and we are able to view the file on the mounted Windows hard-drive:

The author of this applet also ensured persistence by creating an entry under the Run key in the registry so that it would automatically relaunch after every reboot of the system:

As far as the payload’s motives are concerned, we notice strange TCP/IP activity out of the javaw.exe process:

That IP (82.102.231.110 and other ones such as 82.102.240.131) are located in the Middle East:

Image courtesy of IPligence.

A deeper look at the traffic packets in network capture software Wireshark reveals its most likely purpose: Bitcoin-mining activity.

We are not sure how the attackers behind this phishing/malware scheme are contacting their marks. However, late on Friday, Cloudhashing issued an urgent notice to all of its users:

From: Cloud Hashing  Date: September 12, 2014 at 7:45:42 PM PDT Subject: Cloud Hashing Newsletter - URGENT NOTICE Reply-To: Cloud Hashing

There is no end of interest for Bitcoins and malicious actors are eager to recruit as many systems as they can to help in the hardware-intensive process of mining.

Perhaps posing as a legitimate Bitcoin company, the phishers expect to dupe people who are already involved in this activity and possess the necessary equipment.

Thanks to my friends and colleagues @jean_taggart and @Kujman500 for additional research assistance.

@jeromesegura