New Bitcoin Scam Leads to Ransomware and Info-Stealing Trojans

A series of web sites are pushing a scam promising $5-30 worth of free bitcoins a day simply by running their Bitcoin Collector program. In reality, this program does nothing but install ransomware or password-stealing Trojans onto a victim's computer.

This scam was first discovered by a malware researcher going by the alias Frost who posted about it on Twitter and discussed it with

The scam is promoted through sites that promise to earn you Ethereum by referring other people to their site.  Their FAQ states that by referring 1,000 visits using your referral link you will earn 3 Ethereum, which is worth approximately $750 USD.



Scam Site

The claims of earning free Ethereum is not even the real scam.They advertise that you can earn $15-45 a day in Bitcoin "for free and automatically".

If you click on this box, you will be brought to another page that promotes a program called "Bitcoin Collector" that when download and run will supposedly generate free Bitcoin for you. It even provides a VirusTotal link to show that it is completely safe, but even though this program has not detections, it is still a Trojan that normally would execute a malicious payload if the payload was present.



When you download the zip file and extract it, it will generate numerous files including an executable called BotCollector.exe.

BotCollector Archive

BotCollector Archive

When you execute the included BotCollector.exe, it will launch a program called " - Bot" that does not appear to do much. In reality, though, this is a Trojan that pretends to be a bitcoin generator, but simply launches a malware payload. - Bot


When BleepingComputer analyzed the Trojan it was clearly shown that clicking on the Start button would cause the fake "Bot" program to trigger the malicious payload. It does this by copying a file at geobaze\patch\logo.png to logo.exe and executing it as shown below.

Executing the malicious payload

Executing the malicious payload

Depending on the running campaign, this payload is either a ransomware or a password-stealing Trojan. BleepingComputer has executed both of these campaigns and describe them briefly below.

The interesting aspect of this cryptocurrency scam is that by the attackers promising free Ethereum by referring users to the site, they effectively gain free promotion for their "BotCollector" Trojan and thus more opportunities to infect visitors.

Originally pushed a ransomware

When Frost first discovered this campaign, the malicious payload was a HiddenTear ransomware named "Marozka Tear Ransomware".

When run, the ransomware will encrypt your files and append the .Crypted extension and create ransom notes named HOW TO DECRYPT FILES.txt as shown  below. The program and notes tell the user to contact the attacker at in order to receive payment instructions.

The ransom note reads:

All your information (documents, databases, backups and other files) this computer was encrypted using the most cryptographic algorithms. All encrypted files are formatted .Crypted. This form files '.Crypted' is a joint development American Hackers. You can only recover files using a decryptor and password, which, in turn, only we know. It is impossible to pick it up. Reinstalling the OS will not change anything. No system administrator in the world can solve this problem without knowing the password In no case do not modify the files! But if you want, then make a backup. Drop us an email at the address You have 48 hours left. If they are not decrypted then after 48 hours they will be removed!!!

You can see the source code for the encryption process below.

Encrypting Files Source Code

Encrypting Files Source Code

As this is just a HiddenTear variant, infected users can decrypt their files for free using the HiddenTear Decrypter.

Now pushes a password-stealing Trojan

This scam has now switched its payload to an information stealing Trojan. Frost has told BleepingComputer that this is the Baldr infection, which currently has 32/70 detections at VirusTotal.

Below you can see the Trojan connecting to it's Command and Control servers below.

Connections to Trojan's C2 Server

Connections to Trojan's C2 Server

The password-stealing Trojan infection is the more serious of the two payloads as it could have allowed the attackers to steal login credentials for sites you visit, take screenshots, retrieve your browser history, steal files from your computer, and even steal cryptocurrency wallets.

Due to this, if you were affected by this scam recently, you should change all of your passwords, especially those related to banking or financial transactions.