Adversaries are using the lure of free online software downloads to infect unknowing victims with a customised version of cryptocurrency mining software from the NiceHash marketplace.
In a 21 December Securelist blog post, Kaspersky Lab reports detecting 16 websites with Russian .ru top-level domains that offer free (or seemingly free) applications or software packages, including such titles as OpenOffice, Adobe Premiere Pro, CorelDraw, and PowerPoint. Approximately 200 of these various files were determined to secretly include the cryptominer as a component.
An analysis of one of these files, presented as a full version of ABBYY FineReader, determined that its folders contained not only the NiceHash miner itself, but also text files containing wallet details and the mining pool's address. It also contained a BAT script, compiled into a PE file named "system.exe," which initialises the miner's operation and retrieves a PowerShell script that assigns an ID to the infected computers and launches the actual mining operations. In this instance, zcash was the targeted cryptocurrency.
"The mining software that we analysed, albeit incapable of inflicting any damage, can seriously impair your workstation's performance by hijacking its resources and making it work for somebody else," warns Kolesnikov in the blog post.