COINMINER_MALXMR.THDBFAJ-JS

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Coinminer connects to the following website to send and receive information:

• https://{BLOCKED}ystem.space/php3/loginx1.php

It does the following:

• Steals Facebook login credentials
• Access victims facebook account
• Send the Malicious link to facebook friends
• Post the Malicious link and tag friends, modifies the privacy of the post so everyone can see and unfollow the post so the victim will not be notified.
• Deletes cookies and recent login traces when the victim logs out.
• Redirects the victim to a fake youtube page once the link is clicked.
• Connects to the following URL to mine cryptocurrency:
  • https://cdn.{BLOCKED}erpool.tk/webmr-x7.js
• Connects to the following URL:
  
  • https://{BLOCKED}ystem1.space/php3/doms1.php -Link to be send to friends
  • http://{BLOCKED}ystem1.space/php3/sil.php -Link to be send to friends
  • https://{BLOCKED}ystem.space/img22.php
  • https://{BLOCKED}ystem.space/playbutton.png
  • https://{BLOCKED}ystem.space/php3/youtube.php - used in fake youtube page

However, as of this writing, the said sites are inaccessible.