Hackers Seeding Ransomware via Bitcoin and Ether Giveaways

May 28, 2019 at 11:00 am This article is more than 4 years old

News

While the entire cryptospace is busy celebrating the return of the “bulls,” bad actors have formulated a new scheme aimed at stealing victims’ cryptos and injecting ransomware into their systems.

These hackers are now using several websites to push their fake bitcoin (BTC) and ether (ETH) giveaway programs, according to a Bleeping Computer report on May 26, 2019.

No Free Bitcoin Anywhere

Per sources close to the matter, hackers are now promoting a fake “Bitcoin Collector” scam promising users $5 to $30 worth of free bitcoins when they run the program.

In reality, the primary aim of the malware, which is disguised as a cryptocurrency giveaway program, is to install ransomware or phishing trojans on the victim’s computer.

Reportedly, the scheme was first discovered by a malware researcher with the moniker, Frost. Specifically, the operation is promoted through sites that promise to reward users with ether and bitcoin when they refer others to visit the platform. They state in their FAQ page that when a person refers 1,000 visitors with their referral link, they’ll earn three ether.

The site also deceives users into believing that they can earn $15 to $45 worth of bitcoin every day, automatically, without doing anything.

A box is provided on the website that users can click to get to the “Bitcoin Collector” program, that when downloaded and installed, will supposedly generate free bitcoin for the victim.

The Bitcoin Collector (a zip file) is embedded with a VirusTotal link to deceive the victim into believing that it is safe and malware-free. Once the zip file has been downloaded and executed by the victim, many files are generated, including an executable file called BotCollector.exe.

When the BotCollector.exe file is run, it will launch the “Freebitco.in-Bot,” a Trojan that masquerades as a bitcoin generator. Its duty, however, is to launch a malware payload.

When the researchers analyzed the Trojan, they discovered that once the victim clicks on the “Start” button, the Bot will trigger the malicious payload by copying a file at geobaze\patch\logo.png to logo.exe and executing it.

“Depending on the running campaign, this payload is either a ransomware or a password-stealing Trojan,” declared the researchers.

As bitcoin and altcoins continue growing in value with each passing day, scammers are also upgrading their skills, in a bid to remain in “business.” Earlier in May 2019, BTCManager informed that hackers had started stealing people’s bitcoin through fake cryptocurrency wallets on Google Play.