New bitcoin scam installs ransomware or info-stealer malware on victim’s computer

• When researher Frost initially analyzed this scam, the malicious payload was found to be ‘Marozka Tear’ ransomware.
• Frost noted that the scam now pushes an info-stealer malware ‘Baldr’ that attempts to steal login credentials for all the sites visited, take screenshots, retrieve browser history, steal files and cryptocurrency wallets.

A new bitcoin scam that promises to earn you $15-45 Bitcoin in a day for free and automatically, installs ransomware or info-stealer malware on victim’s computer.

The big picture

An independent malware hunter who goes under the name ‘Frost’ has uncovered the scam which has been promoted via several sites. The scam promise to earn you Ethereum by referring other people to their site.

• When users click on the site, they will be redirected to another page that promotes a program called ‘Bitcoin Collector’.
• This program is a Trojan that executes a malicious payload.
• When users download the program and extract it, it will generate numerous files including an executable called BotCollector.exe.
• Upon executing the ‘BotCollector.exe’, a malware disguised as a bitcoin generator program dubbed ‘Freebitco.in - Bot’ is launched.
• Clicking on the ‘Start’ button would cause the ‘Freebitco.in-Bot’ to trigger the malicious payload which is either ransomware or an info-stealer.

Marozka Tear Ransomware

When Frost initially analyzed this scam, the malicious payload was found to be ‘Marozka Tear’ ransomware.

• Once on the compromised computer, the ransomware encrypts all files and appends the .Crypted extension to the encrypted files.
• It then drops a ransom note named ‘HOW TO DECRYPT FILES.txt’.
• The ransom note urges the victim to contact the attacker at india2lock@gmail.com in order to receive payment instructions.

“All your information (documents, databases, backups and other files) this computer was encrypted using the most cryptographic algorithms.
All encrypted files are formatted .Crypted.
This form files '.Crypted' is a joint development American Hackers.
You can only recover files using a decryptor and password, which, in turn, only we know.
It is impossible to pick it up.
Reinstalling the OS will not change anything.
No system administrator in the world can solve this problem without knowing the password
In no case do not modify the files! But if you want, then make a backup.
Drop us an email at the address india2lock@gmail.com
You have 48 hours left. If they are not decrypted then after 48 hours they will be removed!!!,” the ransom note read, BleepingComputer reported.

Baldr Trojan

Frost noted that the scam now pushes an info-stealer malware ‘Baldr’ which currently has 32/70 detections at VirusTotal.

This info-stealer malware attempts to steal login credentials for all the sites visited, take screenshots, retrieve browser history, steal files and cryptocurrency wallets.