October 18, 2018

Doctor Web analysts have investigated the activity of a cryptocurrency cybercriminal. The attacker, known as Investimer, uses a wide range of malware and various methods for gaining illegal income.

The online scammer, nicknamed Investimer, Hyipblock, or Mmpower, uses a wide range of commercial Trojans that are currently prevalent in the underground market, including the stealers Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, and Pony. The attacker's arsenal also boasts the TeamViewer-based Spy-Agent backdoor, the DarkVNC and HVNC backdoors that access the affected computer via the VNC protocol, as well as a backdoor based on RMS. The cybercriminal widely applies the Smoke Loader and has previously used a Loader by Danij, as well as a miner Trojan with a clipper plug-in that changes the clipboard contents. Investimer hosts their controlling servers on websites such as jino.ru, marosnet.ru, and hostlife.net. Most of them are Cloudflare protected and hide their actual IP address.

Investimer is mainly focused on cryptocurrency fraud, primarily with Dogecoin. For this, they have created many phishing websites that replicate actual online resources. Among them is a fake cryptocurrency exchange that allegedly requires special client software, which in fact is the Spy-Agent Trojan that downloads to the victim’s computer.

Another “startup” of the scammer is the non-existent pool of Dogecoin miners for rent at competitive prices. To work with the pool, the potential victim downloads an alleged client application in a password-protected archive. The password prevents antivirus software from scanning the archive and removing it at the downloading stage. Clearly, the archive contains a stealer Trojan.

Another fraudulent project by Investimer involves the Etherium cryptocurrency. The scammer offers potential victims rewards for browsing websites if they install a malicious program under the guise of a special app. The Trojan starts downloading automatically upon visiting the website. The scammer even put an effort into writing a few fake reviews about the service.

Another way Investimer practices online fraud is through online lotteries where the prize is in Dogecoins. Of course, the lotteries are arranged in such a way that it is impossible for third-party participants to win; only the organizer can make money. Nevertheless, as we write, more than 5,800 users have already registered to Investimer’s lottery.

Apart from online lotteries, Investimer offers rewards in Dogecoins for viewing web pages with ads. This project has over 11,000 registered users.

Naturally, when a victim tries to download a browser plug-in to make money while surfing the Internet from a “partner” website, they install a backdoor on their computer. This in turn, usually installs a Trojan stealer on the infected device.

Investimer is also not above traditional phishing. They have created a website that offers a reward for bringing new users to the Etherium payment system, but actually collects the information users enter during registration and transfers it to the attacker.

Apart from the above, Investimer tried to copy the official cryptobrowser.site. The original project creators have developed a new web browser that runs a cryptocurrency miner in the background while the user browses web pages. The fake website created by Investimer is not of a particularly high quality: some images are not displayed, the license agreement contains the email address of the real developers, and the Trojan posing as the browser is downloaded from another domain. The picture below shows Investimer’s fake website (left) and the original website (right).

Investimer reportedly has been involved in other online scams as well, including online games based on the financial pyramid principle. The attacker uses the information collected by Trojan stealers primarily to steal cryptocurrency and money from the victim’s wallets in various e-payment systems. It is worth noting that Investimer’s control panel for access to hacked computers contains obscene comments about each victim, which we cannot quote for censorship reasons.

The general scheme the cybercriminal uses to deceive Internet users is as follows: the potential victim is, by various means, lured to a fraudulent website that requires the user to download a certain client program to use it. However, instead of a client, the victim downloads a Trojan that installs other malware to the computer when the attacker signals it. Such programs (mainly stealer Trojans) steal confidential data from an infected device, and the scammer later uses it to steal cryptocurrency and money from the victim’s accounts through payment systems.

Doctor Web analysts believe the total number of users affected by Investimer’s illegal activities exceeds 10,000. Our experts estimate the damage to the victims is at over $23,000, in addition to more than 182,000 Dogecoins, which equals about $900 at the current rate.

Addresses of all websites created by Investimer are in the Dr.Web SpIDer Gate databases and all malware the scammer uses has been successfully detected and removed by our Antivirus.

The full list of indicators of compromise is located at https://github.com/DoctorWebLtd/malware-iocs/tree/master/investimer.

#criminal #cryptocurrencies #mining #fraud