Fake Flash Player Wants To Go Mining

Fake Flash Player Wants To Go Mining

Mining for coins sure does beat scrabbling around in caves looking for coal, and it certainly shows no signs of going away anytime soon.

Below we have the latest in a seemingly never ending stream of mining scams and dubious antics. Specifically, a collection of fake Facebook video pages which require the end-user to install Flash player to continue.

It goes without saying that this is absolutely not the real Flash player at all. Let’s take a look at one of the sites, located at

facebook(dot)com(dot)accounts(dot)login(dot)userid(dot)508724(dot)ismos(dot)pw/blam/

Flash! Aa-aargh

According to the box inside the video player, “An update for Youtube Player is needed.” Clicking install pops the download prompt, and FlashPlayerV10.1.57.108 (also known as “Juan.exe”) is downloaded onto the system.

Running the file places two executables into the following location:

[username]/AppData/Roaming/Data

Control.exe svhost.exe

File locations

Svchost.exe is rather interesting:

Time to mine.

The text reads as follows:

“1 miner threads started, using “scrypt” algorithm

HTTP request failed: failed connect to 127.0.0.1:9332

json_rpc_call failed, retry after 30 seconds”

“Scrypt”? “Json”? “9332”? What is happening here?

Scrypt is typically associated with forms of mining other than Bitcoin, and port 9332 can often be seen in discussions related to mining. If this is an attempt to join a P2Pool, it doesn’t appear to be working. Solo mining isn’t likely to make anybody a vast fortune anytime soon, either.

Users of Malwarebytes Anti-malware will find we detect the initial dropper file as Trojan.Agent.MNR, and it is currently pegged at 24 / 47 on VirusTotal. We also detect the dropped miner as PUP.BitCoinMiner, and the VirusTotal score for that one is 17 / 48.

The fake Flash player page has been seen at least twice before – September 2012, where rogue Twitter DMs directed end-users to Malware and July 2013, where it tied an attempt at mining with Facebook phishing.

If you want to install Flash Player, you should go directly to the Adobe Flash install page – never accept installs from random websites, especially if offering up a video that you just have to see.

As far as mining goes, ensure you obtain your miners from reliable sources as bundling legitimate mining tools with Malware has never been more popular.

Avoid any .pw URLs currently in circulation with the following URL extension:

.pw/blam/FlashPlayerV10.1.57.108.exe

Quite a few of them already appear to be down, but the cut and paste success of reusing this particular fake Flash page seems to big a temptation to resist.

As for the safety of your Bitcoins themselves, there are more than enough pointers online to start doing something that about too.

Keep your coins safe and your PC safer – though given the current value of Bitcoin, maybe some individuals would take the reverse approach.

However you choose to operate, keep in mind that scammers mining on PCs without permission are now being swept up by the long arm of the law. It’s quite possible many of them will, over the coming months, be trading in their digital pickaxes for the real thing and a large collection of rocks to break…

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.