Threat Analysis Report: Save Yourself Malware

Reason Labs

Recently, the cryptoblackmail scam, “ScamYourself”, has returned to the market – many users
worldwide have been complaining about receiving emails from sender “SaveYourself@856.com”, who claims he hacked their computer and caught them in some awkward situations and will share them publicly unless they pay him in Bitcoin.
In fact, the users receiving these emails have not been infected and there is no RAT controlling their computer (at least not this one…). The malware author has been infecting stations and using them as proxies to send blackmail emails to the victims, and for Monero mining. The victims’ email addresses and passwords were just found in a password dump file and the attacker has been trying his luck with them. The capabilities of the malware are as follows:

  1. Blackmailing
  2. Monero miner

Infected files were able to reach more than 110K users in a very short time because of the malware’s spreading capability. A quick search in Google showed many users complaining about the “saveyourself” scam virus as well as many sites suggesting their product for removing the malware (although the users that received the email were not infected by the malware itself -their emails were just exposed in a dump), which is actually what could cause the computers of those users to become infected with the malware.
It is very possible that the malware author has gathered and combined several viruses and changed them to suit his needs (bitcoin wallet addresses and so on).

Read full report here

Leave a Reply