When cyber crooks are looking to infect as many Internet users with Bitcoin mining software, they usually start a wide-reaching, generic spam campaign. But when they are after specific users' Bitcoins, they use a more targeted approach.
In this case, the following mass-targeted scam email is being delivered to users whose email adresses have obviously been scraped from popular Bitcoin sites or stolen in breaches:
According to Logrhythm researchers, a peek in the header reveals immediately that the email does not come from a personal email address, but was sent through Amazon’s Simple Email Service (often misused by spammers).
The embedded shortened URL leads to a compromised site from which the Backup.zip archive is downloaded.
It contains several files: bitcoinqt.png, Password.txt, Password.txt.lnk, and wallet.dat, but only the last two are visible unless the "Show hidden files" Windows option is turned on. It's obvious that the attackers are counting on those two files to be open first.
The initially visible files prepare the ground for the attack, and the Password.txt file is actually a packed executable.
"Running this file launches a blank command prompt window, followed by a program masquerading as notepad, then the real notepad application, which displays the ‘password’ to the wallet.dat file," the researchers explain.
"In reality, this program launches two files, one notepad.exe to display the fake password, and another file Password.txt which appears to actually be a backdoor’d version of ‘EditPlus’. This file continues to run silently and remains open even after notepad is closed."
The malware waits for the victims to open their BitCoin wallet using the BitcoinQT software, and when they do, they are showed a previously prepared screenshot of a digital wallet containing some 30 Bitcoin (the aforementioned bitcoinqt.png file).
In the meantime, the malware contacts the attackers' network, and begins to empty their own wallets in the background.
According to the researchers, the campaign was launched on January 6, and in less than 24 hours over 1,600 users clicked on the malicious shortened link. Some of them have likely downloaded and opened the offered file, but the number of compromised users is unknown.