SBN

The Growing Trend of Coin Miner JavaScript Infection

1. CharCode JavaScript 

On 6th December 2017, FortiGuard Labs discovered a compromised website – acenespargc[.]com. Looking into the source code, we noticed a suspicious encrypted script which the uses eval() function to convert all the characters into numbers. We used a tool called CharCode Translator to reverse the numbers back into characters. We were then able to retrieve a link which redirects to a scam page or phishing website.

Part 1

 

Part 2

The above is just a simple example. The threat actor can actually customize the phishing content by geographical location, and to better avoid detection, it will also disappear when it detects that you have visited the phishing page before.

Using this technique, threat actors are able to hide malicious/phishing/advertising URLs from being seen with the naked eye.  

As you will see below, this technique has now been adopted by threat actors to hide Cryptocurrency mining JavaScript in compromised websites, so that whoever visits the website will be “infected” and their computer will start cryptomining for the threat actor. We classify this activity as malicious because it uses other people’s resources without their permission.

 

2. Packer tool hides CoinHive script   

On the 28th of December, FortiGuard Labs learned about another malicious website using the very obfuscation technique we described above – romance-fire[.]com – through a referral from a customer. This website contained obscured malicious code for cryptocurrency mining.

We uncovered the encoded script, and by using the packer tool to unpack it, we found the script has a connection to CoinHive.

breaking-news

JavaScript from the source code

unpack

Unpacking the JavaScript – Part 1

We noticed that the URL (hxxp://3117488091/lib/jquery-3.2.1.min.js?v=3.2.11) didn’t seem like a valid IP or domain. We did some research and found that ‘3117488091’ is the decimal IP of 185.209.23.219 after we converted it at KLOTH.NET. Below is the result:

This site converted the URL  to hxxp://185.209.23.219/lib/jquery-3.2.1.min.js?v=3.2.11. From the URL, we retrieved the same pattern of JavaScript, so we unpacked the Script again.

Unpacking the JavaScript – Part 2

After a final round of unpacking, we were finally able to retrieve the script that contains CoinHive URLs:

unpack2

Unpacking the JavaScript – Part 3

3. Coin miner from GitHub 

On 26th January 2018, we discovered another website – sorteosrd[.]com – which also mines cryptocurrency by hijacking a visitor’s CPU. This cryptomining malware again allows hijackers to benefits from mining digital currency without the computer user’s permission. We believe that this site might have been compromised or used by the webmaster.

Source code of the website hxxp://sorteosrd.com:

 

Impact of surreptitious cryptomining on user’s device

As we can see from the screenshot above, coin miner dramatically slows down the PC as its CPU is fully utilized after visiting the site.

4. Compromised website – BlackBerry infected with CryptoCoin mining 

Another example of a CoinHive script was found at a surprising compromised website – blackberrymobile.com.

9cae0885135b83c1b7d1637a5880c0bf

Even the Blackberry site was compromised for a short time to mine for Monero cryptocurrency.

5. Compromised website – Milk New Zealand infected with deepMiner tool

In addition, we also discovered that one of the largest dairy farm groups in New Zealand, Milk New Zealand, had also been compromised. Our AV lab detected malicious activity from the site, so we look into the source code and found a script using the deepMiner tool at github to Mine Monero, Electroneum, Sumokoin, etc. See the screenshot below:

 

JavaScript using deepMiner

Based on the data in the screenshot above, we learned that this kind of script uses DDNS for its domain and only increases CPU usage by 50% in order to be less noticeable to end users.

6. Even YouTube serves ads with coin mining

The problem of cryptocurrency-mining malware is getting serious. As the number of threat actors looking to earn from cryptomining by hijacking CPU cycles continues to grow, cryptomining malware is showing up in more and more places. A week ago, several malicious ads popped up on YouTube after a threat actor managed to inject a coin miner script into online ads. Luckily, YouTube found the issue and removed the affected ads within two hours.

 

Malicious cryptomining YouTube ads

What can you do to prevent or avoid Coin Miner hijacking?

  1. Clear your browser cache, or install ccleaner software to find and remove unwanted files and invalid Windows Registry entries from your computer
  2. Disable JavaScript in your browser or run a script blocker tool or extension
  3. Install Antivirus software such as FortiClient
  4. Install and run AdBlocker or similar tools, such as Ghostery

FortiGuard has blacklisted all the URLs listed in this blog as Malicious.   

IOCs:
Compromised Websites:

  • acenespargc[.]com
  • www[.]romance-fire[.]com
  • milknewzealand[.]com

Newly observed coin mining URLs:

  • hxxp://coinhive[.]com
  • hxxp://minerhills[.]com
  • hxxp://crypto-webminer[.]com
  • hxxp://sorteosrd[.]com
  • hxxp://greenindex[.]dynamic-dns[.]net
  • hxxps://github[.]com/deepwn/deepMiner

 

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.