Bitcoins and Bitcoin mining are a very captivating subject for anyone interested in the popular digital currency.

There are always new developments and a touch of mystery (last week we heard rumours that someone was threatening to expose Bitcoin founder Satoshi Nakamoto).

A few days ago, a suspicious email was forwarded to me that appeared to be sent from Cloudhashing, one of the largest Bitcoin mining companies.

cloudhashing
Image courtesy of: http://goo.gl/hppD1h

Cloudhashing sells contracts to mine for bitcoins using its cloud-based computer network located in Iceland.

Subject: Invoice 764
Date: Tue, 9 Sep 2014 04:59:01 +1100
From: CloudHashing <no_reply@cloudhashing.com>
To: {redacted}

Invoice Payment Confirmation

Kind regards

Mobile: +1 (510) 973-1050
Phone: +1 (530) cloudhashing
Fax: +1 (510) 573-2760
Technology IQ Ltd. 11130 Jollyville Rd. Ste. 304 Austin TX 78759

The email contained a so-called invoice payment confirmation (Invoice_764.jar) as an attachment. This is not your ‘typical’ invoice file format though, as it turns out to be a Java applet:

java_applet

Applets can run like any other type of executables provided you have Java installed on the system. So we decided to execute this file in a controlled environment to better understand its purpose.

The Javaw.exe process is invoked and creates a copy of the applet under AppData\Roaming\Windows\Windows.Kh8

java_path

However, the file is hidden with a rootkit-like technique. We used a dual-boot (Windows-Linux) box to expose this clever technique (you could use a Live CD to boot your PC from and then check your drive).

On Windows, the rookit is active and hides the Windows.Kh8 file (the applet) while on Linux the rookit is not active and we are able to view the file on the mounted Windows hard-drive:

This slideshow requires JavaScript.

The author of this applet also ensured persistence by creating an entry under the Run key in the registry so that it would automatically relaunch after every reboot of the system:

RunKey

As far as the payload’s motives are concerned, we notice strange TCP/IP activity out of the javaw.exe process:

TCP

That IP (82.102.231.110 and other ones such as 82.102.240.131) are located in the Middle East:

IP

Image courtesy of IPligence.

A deeper look at the traffic packets in network capture software Wireshark reveals its most likely purpose: Bitcoin-mining activity.

wireshark1

We are not sure how the attackers behind this phishing/malware scheme are contacting their marks. However, late on Friday, Cloudhashing issued an urgent notice to all of its users:

From: Cloud Hashing <newsletter@cloudhashing.com>
Date: September 12, 2014 at 7:45:42 PM PDT
Subject: Cloud Hashing Newsletter - URGENT NOTICE
Reply-To: Cloud Hashing <newsletter@cloudhashing.com>

urgent

There is no end of interest for Bitcoins and malicious actors are eager to recruit as many systems as they can to help in the hardware-intensive process of mining.

Perhaps posing as a legitimate Bitcoin company, the phishers expect to dupe people who are already involved in this activity and possess the necessary equipment.

Thanks to my friends and colleagues @jean_taggart and @Kujman500 for additional research assistance.

@jeromesegura