The second task mines with the following options: The second task has the process restart two minutes after the process has been terminated. “schtasks /create /tn \Windows\VsServiceCheck /tr "C:\ProgramData\VsTelemetry\vshub.exe" /st 00:00 /sc daily /du 9999:59 /ri 2 /f” If the process is terminated by the user, the task schedules it to restart 10 minutes after. Even if the infected computer is rebooted, the malware reloads.
The task also loads the malware on a daily basis, every midnight and is set to never end and is set to repeat itself every 10 minutes, unless the process is already running. The first task installs a Chrome extension that injects JavaScript into every opened page. “schtasks /create /tn \SystemLoadCheck /tr "C:\ProgramData\VsTelemetry\vshub.exe -loadcheck" /st 00:00 /sc daily /du 9999:59 /ri 10 /f” Newer samples of the malware use this path: “C:\ProgramData\WindowsPerformanceRecorder\spyxx_amd64.exe” The first thing the malware does is copy itself to “C:\ProgramData\VsTelemetry\vshub.exe”.
We suspect this is a bug or maybe the cybercriminals are planning on launching a version of the malware that will also target these browsers.
We aren’t sure why Opera and Amigo Free Browser processes are terminated, as the malware targets Chrome users.
One of the functionalities includes terminating Opera, Chrome, and Amigo Free Browser processes. The malware incorporates a Monero miner that is also hosted on GitHub The cybercriminals added malicious functionalities to the miner. If the user clicks through the page, it offers the same file again, after the user clicks on 'I'M OVER 18 YEARS OLD - LET'S PLAY - DOWNLOAD'. In this animation you can see how the webpage serves the malicious file right after the page is visited. In addition to the phishing ad campaign, we found an adult content site spreading the malware by offering site visitors a sex game. The ads first lead to an attacker-controlled server (), which then redirects to the GitHub repository hosting the malware, which is where the malicious executable is loaded from. When a user visits a site that displays the phishing ads and clicks on an ad, the executable downloads. Instead, the malware is spread via a phishing ad campaign.
Users don’t need to download the malicious executables directly from GitHub. In addition to mining, the malware also installs a malicious Chrome extension, to inject fake ads and to click on ads in the background, allowing the greedy cybercriminals can make even more profit. People are tricked into downloading the malware through phishing ads shown on online gaming and adult websites, warning users that their Flash Player is outdated, for example, as well as through a fake adult content gaming site. The cybercriminals behind the malware are hiding malicious executables in the directory structure of the forked projects. A list of affected GitHub repositories can be found at the bottom of this blog post. The projects which have been forked appear to be chosen at random. The cybercriminals fork other projects, which on Github means producing a copy of someone else’s project, to build upon the project or to use as a starting point and subsequently push a new commit with the malware to the project. Cryptocurrency mining malware, which also installs a malicious Chrome extension, hosted on GitHub for anyone to download.Ĭybercriminals are aggressively uploading cryptocurrency mining malware to GitHub.