Newbie account spreading malware using a fake link.

[coupable]

This topic was posted in Bitcoin Discussion board by a newbie account (created today) named Rizotolok. The topic contains a link pretending to be a screenshot but by checking, it leads to a page where the link to the image is downloadable zip file. I have checked it using virus total and it shows a Trojan malware.
Suspecious link:

Code:

[url=https://www.screenshȯt.net/lKtgMY.jpg]https://www.screenshȯt.net/lKtgMY.jpg[/url]  

VirusTotal scan result: https://www.virustotal.com/gui/file/45896fc99e6aa2bbaa7ea55ca1c465a0051fe9dfb93090dd2955b15194bb9db0/detection

After warning users, op had edited his original post and remove the link before i can archive it. But he forgot to remove it from his other posts which i succeeded to archive it: http://archive.vn/hZrL1

In the same topic, two other newbie accounts posted to confirm that the investment is safe. I had also archived it for reference: http://archive.is/fC99n
Suspecious accounts: (all are created today)
Rizotolok
FlorenceLove
Mathieuinve2018

I was about to just report the topic to mods but after op edited it, i decided to post here so detective users can check his unedited posts using LoyceV tool which i can't use it correctly yet.

[bitmover]

I just tagged the user https://bitcointalk.org/index.php?action=trust;u=2819111

I will tag the others as well.

thanks for pointing that out.

[enhu]

I've download it after someone quote it and said thank you to it.  Fuckit! I did try to open but it says extract so I took a look at it and its a zip file. I was to look at what is inside of it but have not since I'm not with my linux system. Crazy how he thinks he could just do it without being noticed when everyone here is on the look out of things like this and scammers.

Its not just that thread, you can check out more threads that the link were inserted. I can't find some of the threads.

this https://bitcointalk.org/index.php?topic=5255778.msg54624977#msg54624977

[MRKLYE]

Fucking rookies... You can just encode a dropper into straight up image files and then plant a RAT on their terminal..

[TalkStar]

I've download it after someone quote it and said thank you to it.  Fuckit! I did try to open but it says extract so I took a look at it and its a zip file. I was to look at what is inside of it but have not since I'm not with my linux system. Crazy how he thinks he could just do it without being noticed when everyone here is on the look out of things like this and scammers.

Its not just that thread, you can check out more threads that the link were inserted. I can't find some of the threads.

Yeah that guy was looking for someone like you. I will suggest you to remove the file from your device to keep your device safer. You are not a newbie and you may know that its not a good option to download any file from unknown sources.  

"Coupable" you did a good job by detecting the link which contains malware. I hope community users will be aware about this and they will not download that file.   

[coupable]

I just tagged the user https://bitcointalk.org/index.php?action=trust;u=2819111

I will tag the others as well.

thanks for pointing that out.

Thanks for your fast reaction before the scammers got more victims. I am waiting for moderators to nuke those accounts too.

I've download it after someone said thank you to it.

Please don't open it in your device. It's a confirmed malware.
You as a veteran member, should not fall as a victim for those scammers. I advice you not to trust anything posted by a newbie account in this forum.

[LoyceV]

i decided to post here so detective users can check his unedited posts using LoyceV tool which i can't use it correctly yet.

It's so easy:

Viewing unedited/deleted posts

• See http://loyce.club/archive/posts/ for all posts (Working!)
  New posts are archived within seconds after being created, and instantly available.
• See http://loyce.club/archive/members/ for posts made by a certain user (Working!)
  Updated every 5 minutes.
• See http://loyce.club/archive/topics/ for posts made in a certain topic (Working!)
  Updated every 5 minutes.

How to use it

• Find the msgID, userID or topicID you need. Let's use msgID 51902990.
• Remove the last 4 digits from the msgID to get the directory name (if there are less than 4 digits, use 0): 5190.
• Put everything together behind the (above) URL and add ".html": http://loyce.club/archive/posts/5190/51902990.html.

This is what I do:

• Copy the userID (2819111) to your clipboard.
• Click http://loyce.club/archive/members/
• Put your cursor behind the link
• Press these keys: CTRL-V Backspace Backspace Backspace Backspace / CTRL-V .html Enter

(the ".html" are 5 separate keys)
That's it! When used it it, my browser remembers the URLs, so all I do is type "posts", "members" or "topics", my browser completes the URL, then paste the number, hit Backspace 4 times, type a slash ("/"), paste the number again, type .html and hit Enter. The whole thing takes about 3 seconds (after some practice). End result: http://loyce.club/archive/members/281/2819111.html. 3 of his posts have a "screenshot".

[mole0815]

In the meta area there is a thread from Lafu in which such cases are constantly being processed: Report Malware and Suspicious Links here so Mods can take Action !

The 3 users mentioned here are really not needed by the forum. Thanks for being attentive...  Problem is solved

[The Cryptovator]

I tried it on mobile device, when click on view image it's forced to download multiple file. Unfortunately even I use cancel button but a file was downloaded (I just tried myself for test but deleted file immediately without extract it). Is this users embedded it or force from the website? Anyway file shouldn't download from unknown source and shouldn't install on the device to avoid any kind of attack.

Thanks OP for warning, most likely that users nuked since post history is ZERO.

[coupable]

In the meta area there is a thread from Lafu in which such cases are constantly being processed: Report Malware and Suspicious Links here so Mods can take Action !

This what i was looking for before starting this thread. I didn't notice this topic before. Thanks for your suggestion and for your fast response.

How to use it

• Find the msgID, userID or topicID you need. Let's use msgID 51902990.
• Remove the last 4 digits from the msgID to get the directory name (if there are less than 4 digits, use 0): 5190.
• Put everything together behind the (above) URL and add ".html": http://loyce.club/archive/posts/5190/51902990.html.

This is what I do:

• Copy the userID (2819111) to your clipboard.
• Click http://loyce.club/archive/members/
• Put your cursor behind the link
• Press these keys: CTRL-V Backspace Backspace Backspace Backspace / CTRL-V .html Enter

(the ".html" are 5 separate keys)

It's still a little bit complicated for me as am not that familiar with loyce.club tools. Thank you Loyce for the nice easy guide. I will try it for sure.

I tried it on mobile device, when click on view image it's forced to download multiple file. Unfortunately even I use cancel button but a file was downloaded (I just tried myself for test but deleted file immediately without extract it). Is this users embedded it or force from the website?

I found it strange that the website is called screenshot.net It looks like a legit domain as it's ssl certificated.
I sent the file to a friend of mine who is expert in this kind of malwares. I am waiting for his analysis and i will post the result here.

Thank you all.
I am closing this topic.

[Timelord2067]

It's probably better if you post a link to the thread post *without* reposting the actual suspicious link in a new place.  You can also report the post via the link in the lower right corner of the actual post entitled "report to moderator".

[examplens]

It's probably better if you post a link to the thread post *without* reposting the actual suspicious link in a new place.  You can also report the post via the link in the lower right corner of the actual post entitled "report to moderator".

OP properly post a link in "code", so it is visible here as evidence but it is not clickable and does not bring the possibility of someone accidentally clicking and get malicious software from there.
I find only a link to Virustotal page, and I don't see a problem there either.
maybe he wanted an opinion of more experienced members, so he opened this topic and get some answers which would not be possible if use "report to moderator" option.

@coupable, you did a good job, all these suspicious accounts have been banned and his posts deleted. Maybe you can really lock this topic, there is no need for further discussion here.