Last Updated: 2017-12-11 02:40:51 UTC
by Brad Duncan (Version: 1)
On Saturday 2017-12-09 and Sunday 2017-12-10, I came across a wave of malicious spam (malspam) with links to a Bitcoin miner disguised as pornographic material. The emails all had the same links. One of them was off-line by the time I checked, but the other downloaded a zip archive named SeeMyXXXphoto.zip. Windows Defender quickly caught and deleted the malware, so people aren't really at risk for this. However, I wanted to document this campaign with a quick diary.
The emails had various subject lines, spoofed senders, and different first paragraphs in the message text. I submitted an example in the .eml format to VirusTotal (link). The emails each contained a different pornographic image followed by the message text. The second paragraph in each message text read the same, stating:
Maybe you want see my private XXX photo??? Ooooohhhh.... ok! Just download archive from this link and open and install it. And you can get access to some my hot photos )))
It was followed by a link to: hxxp://martialartsbenefits[.]com/SeeMyXXXphoto.zip
Windows Defender identified the malware as Trojan:Win32/Tiggre!rfn, but that didn't describe the malware for me. A quick check on VirusTotal indicates the malware is a Bitcoin miner. Running the malware on a Windows host in my lab environment confirmed Bitcoin miner-style traffic, and it appears to be based on CPUminer Multi version 1.1.
Shown above: Traffic from an infection filtered in Wireshark indicates this is CPUminer Multi version 1.1.
- Date/Time: Sunday, 2017-12-10 00:08 UTC
- From: "Isabelle" <email@example.com>
- Subject: That's why I love our parties! Just look here
- Date/Time: Sunday, 2017-12-10 16:28 UTC
- From: "Martine" <firstname.lastname@example.org>
- Subject: I would go through the streets slack-jawed
- Date/Time: Sunday, 2017-12-10 18:04 UTC
- From: "Birgit" <email@example.com>
- Subject: Oh Gooood, it is the hottest of all that I've ever seen Just look here!
- Date/Time: Sunday, 2017-12-10 19:14 UTC
- From: "Manon" <firstname.lastname@example.org>
- Subject: Is your character as hard as your muscles?
- Date/Time: Sunday, 2017-12-10 23:10 UTC
- From: "Lola" <email@example.com>
- Subject: Even your eyes can tell me how confident you are.
Links in the emails:
- File size: 2,201,826 bytes
- File name: SeeMyXXXphoto.zip
- Description: Downloaded zip archive
- File size: 2,339,166 bytes
- File name: Open and see my XXX photo and Video.exe
- Description: Extracted Windows executable - Bitcoin mining malware
Traffic from an infected Windows host:
- 184.108.40.206 port 8005 - xmr-usa.dwarfpool.com - CPUminer traffic
Windows 10 hosts seem well-protected against this threat. As always, on older versions of Windows, system administrators and the technically inclined can implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
brad [at] malware-traffic-analysis.net