Double file extensions being used to dupe users

A Russian BitTorrent site is bundling Monero-hungry malware in with ‘legitimate’ downloads, offering further evidence that hackers are pivoting towards cryptojacking as their method of choice in 2018.

New research from Palo Alto Networks pulls focus on b-tor.ru, a Russian language BitTorrent site that’s been active since July 2017 and hosts more than 275,000 torrent files.

After attempting to download a file, the researchers said users are presented with a compressed file with the corresponding name. Once unzipped, an executable – again of the same name – is presented.

“The attackers are making use of double file extensions to further attempt to trick the user into believing this file is a legitimate torrent,” said Palo Alto Networks’ Josh Grunzweig.

Once opened, Grunzweig said the file will download and execute the actual torrent file, but at the same time it will also download and execute an instance of the XMRig Monero mining program that will run in the background.

Of course, B-tor is not the first torrent site to be linked with a crypto-mining campaign. Last year, The Pirate Bay hit headlines after it emerged that admins had been testing out the revenue-generating potential of a JavaScript-based miner placed directly on-site.

In this latest example, however, B-tor’s use of double file extensions shows that attackers are going to increasing lengths to cover their tracks, as they look to install more persistent crypto-mining malware directly onto users’ devices.

Fortunately, in this latest example Grunzweig noted that the malware has been configured to use 100% of the victim’s CPU power, which would likely alert them to the miner’s presence.