In reality this program does nothing but install a ransomware or Trojan that steals passwords on victim computers.
Fraud was first discovered by researchers with the nickname Frost who spoke about him on Twitter.
Fraud is promoted on sites that promise profit on Ethereum by referring to their website. These pages say that those referring to 1,000 visits earn 3 Ethereum worth $750.
Claims for free Ethereum are not even fraud. As you can see from the image presented, they say you can earn $15-45 a day free and automatically.
If you click that advertisement you will be sent to another site that promotes a program called “Bitcoin Collector” which when downloading should generate free bitcoin for you.
It even provides a link to VirusTotal to show users that it is safe and has no malware. But the program is actually a secret trojan.
When downloading and extracting a zip file, some files will be generated as well as an exutable called BotCollector.exe. when executing the latter will launch a program called “Freebitco.in – Bot” which does not seem to serve any purpose. In reality, this trojan claims to be a bitcoin generator but simply launches malware.
When researchers analyzed the trojan, it was noticed that clicking the Start button would cause a fake bot program to activate the malware.
The interesting fact of this scheme is that attackers promise free ethereum by referring users to the website and gaining free promotion of “BotcCollector” as well as more opportunities to infect others.
First as a malware
When Frost unveiled the campaign, the malware was hidden in a HiddenTear ransomware called “Marozka Tear Ransomware.”
When launched, it encrypts the .crypted files and creates some notes on how to decrypt the files. The program and notes ask the user to contact [email protected] to receive payment instructions.
Already this campaign promotes a Trojan. Frost said this is a Baldr infection which has a 32/70 detection ratio in VirusTotal.
Below you can see the control servers and commands. Trojan infection is much more dangerous because it steals account credentials online, realizes screenshots, takes browser history, steals files, and even encrypts portfolios.
If you are affected by this fraud, you have to change all passwords, especially banking and financial ones./ BleepingComputer