A new malware plaguing popular Voice-over Internet Protocol (VoIP) service Skype has surfaced. Kaspersky Lab Expert Dmitry Bestuzhev shares in a blog post that a screenshot of a Skype client sent to him by a friend from Venezuela has revealed a malware campaign affecting Skype, similar to another malware campaign on Skype he had written about. The malware is capable of turning the infected machine “to a slave of the bitcoin generator”. That, and it causes the CPU usage increases significantly.
Bestuzhev further notes that the a large number of the potential victims reside in Italy, Russia, Poland, Costa Rica, Spain, Germany, Ukraine, among others. He noted that worryingly, the average clicking rate was quite high too, at 2,000 clicks per hour. The initial trojan, which Kaspersky detected as Trojan.Win32.Jorik.IRCbot.xkt., is downloaded from a server in India.
Generating over 2,000 clicks per hour
Once the malware manages to infect the system, it drops in other pieces of malware. There are downloads from the Hotfile.com service and the malware also connects to its C2 server in Germany, the IP address of which is 22.214.171.124:9000. The process runs with the command – ?bitcoin-miner.exe -a 60 -l no -o http://suppp.cantvenlinea.biz:1942/ -u XXXXXX0000001@gmail.com -p XXXXXXXX, wherein the sensitive data was replaced by XXXXXX. It takes undue advantage of the infected CPU to mine Bitcoins for the miscreant.
Bestuzhev advises to watch out for signs – which includes your machine working hard and using up all available CPU resources – that may mean you're infected.
It maxes out your CPU
Even as you're reading this, the campaign is active on Skype. This isn't the first instance of malware on Skype. Back home too, in October last year, the service was hit by a spam attack. The government issued an advisory informing Skype users of the malicious spam campaign.
“A malicious spam campaign is on the rise targeting Skype users by sending instant message which appears to come from friends in the Skype contact list,” the advisory read. The Computer Emergency Response Team (CERT-In) under the Communications and Information Technology ministry shared that the malware was adept at gaining control of the victim's machine by opening a backdoor and communicating to a remote http server.
Cyber security experts unearthed that the malware-ridden content has been found “lurking in the vicinity of cyber networks of Indian users who use this popular Voice-over Internet Protocol (VoIP) service”. The malware was reportedly stealing user details, fuelling click fraud activity, while also posing as ransomware.
As a measure of caution, the advisory asked Skype users in the country to “not follow unsolicited web links or attachments in Skype messages and install latest security updates to Skype”. The advisory added that users should download the latest version of Skype from trusted sources. To secure themselves further, users should install and maintain updated anti-virus software on gateways and desktops. The advisory stressed on the need to maintain caution when opening attachments, accepting file transfers, clicking links to web pages. Disabling the auto play feature altogether is a safe practice. Users should be careful to ward off social engineering attacks, it said.