A security researcher has discovered a new Bitcoin scam which installs ransomware or password-stealing Trojans into your systems.
The scam was first spotted by a security researcher who goes by online handle Frost via Twitter.
The scam is spread via websites which promises you Ethereum if you refer their websites to other people.
According to their FAQ, 1000 visits using your referral link will earn you 3 Ethereum which is approximately $750 USD.
The website also advertises that you can earn $15-45 a day in Bitcoin for free and automatically.
According to Bleeping Computer, When you click the ink you will be redirected to a page called “Bitcoin Collector” which asks you to download and run the program to earn free Bitcoins.
It also provides VirusTotal link showing the program is completely safe.
If you click the download link and a zip file will be downloaded, extracting the zip file will generate many files including an executable file called BotCollector.exe.
When you run BotCollector.exe it will launch a program called Freebitco.in – Bot which is actually trojan pretending to be Bitcoin Generator.
As shown in the above picture if you click the start button in the program it will launch a fake bot program to trigger the payload.
In the campaign, at first the payload was a HiddenTear ransomware variant called Marozka Tear Ransomware and later they switched to a password-stealing Trojan.
Ransomware as the Payload
The ransomware encrypts all your files and appends .Crypted extension to it. A ransom note named HOW TO DECRYPT FILES.txt is also created.
In the ransom note, victims are asked to contact at firstname.lastname@example.org to know about the ransom amount and payment instructions.
Affected Victims can decrypt their files for free using the HiddenTear Decrypter.
Password-stealing Trojan as the Payload
According to the researcher the scam has now switched to password-stealing Trojan named Baldr as the payload.
The Trojan is capable of stealing login credentials of sites you visit, taking screenshots, retrieving browser history, stealing crypto currency wallets and files from your computer.
Users who are affected by this scams are advised to change their passwords and enable multi-factor authentication for their accounts.
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones