Hot search keywords

Hot search keywords

Tencent Security: Over 33 Million Email Passwords Were Leaked for Bitcoin Ransom

The latest bitcoin rally not only brings the crypto market back to life but also hackers. Tencent Security reported on July 9 that they monitored a mining Trojan called Burimi has hacked over 33 million email accounts demanding for bitcoin ransom.

The attacker first tries to hack VNC weak password to log in a server. After that, the attacker will download a Monero mining Trojan which will close the Windows security center, add boot, infect the USB flash disk or mobile hard disk, and then hijack bitcoin address. What makes this mining Trojan nasty is that it will use the infected server to validate millions of email account passwords, and then send mass blackmail email.

For each server hacked, the attacker could validate 20,000 email accounts. As of press time, the virus has compromised 1,691 servers and more than 33 million email accounts have been validated, including email accounts in Yahoo, Google, AOL and Microsoft. It might eventually lead to hundreds of millions of email account validation. If an email account is successfully validated, an extortion email will be sent, which reads: “I know your password and private information, you must pay $XXX in Bitcoin to XXX account within X days, otherwise, your private information will be published.”

As of press time, 0.2326 BTC has been hijacked by tampering the withdrawal address into the attacker’s BTC address, and 0.01 BTC has been transferred into the hacker’s bitcoin address. The security firm advises email users of Yahoo, Gmail, AOL, MSN, and Hotmail not to pay bitcoin after receiving blackmail email, but change their email password and enable double authentication as soon as possible. For those whose computers have been compromised, it is suggested to delete following files,

C:\ProgramData\FtqBnjJnmF[random]\cfg
C:\ProgramData\FtqBnjJnmF[random]\cfgi
C:\ProgramData\FtqBnjJnmF[random]\windrv32
C:\ProgramData\FtqBnjJnmF[random]\r.vbs
c:\windows\48940040500568694\v.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ftUPeSPdpA.url[random]

delete registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver

IOCs
wallets
1EwCEJr5JwpafZx11dcXDtX5QSPJvzth17
1Gx8oRKKczwdB32yiLzVx5hsjAze6g5HHw
qqax27xlp3mlj2xxvg8c907hsjl8rn2c6vvg02zqmk
24dZQuCGWPxHAo541yQ5Ry7diFui4r5PvPYw9569fHSJEZfv1uWdgtxFr6MNqj3PGR4PGXzCGYQw7UemxRoRxCC97t7VaTr
XkaCs9F83uMSNe8F42uX5VbBD9GVTSnp3D
DAyF8DeCqJMJhSwKaTPfJH6FXT7jgw8Tnh
0x8b7f16faa3f835a0d3e7871a1359e45914d8c344
LWxEL2THVBbUK1hSjUf617WLRVEGR7iajp
4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQksjQpiLQVUNjzt3UF
PMtseqzh1KbDrGhzcBcXwgU3sJuWK65AJS
t1YmUJ56BtdzoW5oMCxRdngdG4hJP5vKFca

Domain
soruuoooshfrohuo.su
aoruuoooshfrohuo.su
roruuoooshfrohuo.su
toruuoooshfrohuo.su
toruuoooshfrohuo.su
uoruuoooshfrohuo.su
foruuoooshfrohuo.su
zeruuoooshfrohuo.su
zzruuoooshfrohuo.su
bbruuoooshfrohuo.su
soruuoooshfrohoo.su
aoruuoooshfrohoo.su
roruuoooshfrohoo.su
toruuoooshfrohoo.su
toruuoooshfrohoo.su
uoruuoooshfrohoo.su
foruuoooshfrohoo.su
zeruuoooshfrohoo.su
zzruuoooshfrohoo.su
bbruuoooshfrohoo.su
soruuoooshfrohlo.su
aoruuoooshfrohlo.su
roruuoooshfrohlo.su
toruuoooshfrohlo.su
toruuoooshfrohlo.su
uoruuoooshfrohlo.su
foruuoooshfrohlo.su
zeruuoooshfrohlo.su
zzruuoooshfrohlo.su
bbruuoooshfrohlo.su
soruuoooshfrohfo.su
aoruuoooshfrohfo.su
roruuoooshfrohfo.su
toruuoooshfrohfo.su
toruuoooshfrohfo.su
uoruuoooshfrohfo.su
foruuoooshfrohfo.su
zeruuoooshfrohfo.su
zzruuoooshfrohfo.su
bbruuoooshfrohfo.su
ssofhoseuegsgrfnj.su
unokaoeojoejfghr.ru
osheoufhusheoghuesd.ru
fafhoafouehfuh.su
auoegfiaefuageudn.ru
aiiaiafrzrueuedur.ru
osuhughgufijfi.ru
agnediuaeuidhegsf.su
ouhfuosuoosrhfzr.su
agnediuaeuidhegsf.su
unokaoeojoejfghr.ru

URL
hxxp://thaus.to/1.exe
hxxp://thaus.to/2.exe
hxxp://thaus.to/3.exe
hxxp://thaus.to/4.exe
hxxp://thaus.to/5.exe
hxxp://thaus.to/6.exe
hxxp://thaus.to/7.exe
hxxp://thaus.to/8.exe

IP
193.32.161.77
193.32.161.69

MD5
ef7ffba4b98df751763464f404d3010c
f895a1875b3e112df7e4d548b28b9927
1d843f799da25d93d370969e126c32fa
3e26d2428d90c95531b3f2e700bf0e4c
33e45f80f9cbfd841242e8bb4488def1

 

Please sign in first