{"id":85205,"date":"2017-11-24T12:51:16","date_gmt":"2017-11-24T07:21:16","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85205"},"modified":"2017-11-24T12:58:41","modified_gmt":"2017-11-24T07:28:41","slug":"massive-campaign-delivering-monero-miner-via-compromised-websites-analysis-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/massive-campaign-delivering-monero-miner-via-compromised-websites-analysis-quick-heal-security-labs\/","title":{"rendered":"Massive campaign delivering Monero Miner via compromised websites \u2013 an analysis by Quick Heal Security Labs"},"content":{"rendered":"

Ransomware outbreaks have been on the rise for quite some time now but suddenly we are observing a change in this trend. \u00a0Seems like the rise observed in cryptocurrency valuations especially for Bitcoins is making attackers to go after cryptocurrency<\/a> mining. Cryptocurrency miner malware have become hot attack vectors for cybercriminals. By looking at the current complexities of mining, a mining pool of computers is needed for effective mining of cryptocurrencies. To achieve this, cybercriminals are attacking end users’ machines with miner malware with the aim of creating mining pools. This type of mining attacks can be termed as distributed mining<\/strong>.<\/p>\n

In this blog post, we will be talking about an ongoing distributed mining campaign targeted towards mining of cryptocurrency called Monero<\/a>. Monero (XMR) is an open source cryptocurrency which was launched in April 2014. Cryptocurrency mining requires massive computation power. Cybercriminals are misusing the processing power of end user devices to mine targeted cryptocurrency. In order to achieve this, hackers are compromising several websites mostly hosted on WordPress to deliver the Monero miner.<\/p>\n

As per the telemetry received at Quick Heal Security Labs, the compromised websites include those of Government, Pharmaceuticals, and Educational institutions.<\/em><\/strong><\/p>\n

Attack chain<\/strong><\/p>\n

This infographic depicts the attack chain of this campaign.<\/p>\n

\"Fig
Fig 1: Attack Chain<\/figcaption><\/figure>\n

In this campaign, websites with known vulnerabilities are being targeted. Once exploited, a malicious obfuscated JavaScript is injected into web pages. When a user visits such compromised websites, the injected JavaScript lures them into downloading a fake font update. On execution of the fake font update, it downloads the Monero miner and executes on user\u2019s system. This attack is currently only targeting users of Google Chrome and Firefox browser.<\/p>\n

Let\u2019s deep dive into the various phases of this attack. The below fiddler session capture shows the attack sequence. The attack sequence is that of a compromised website of a Pharmaceutical company<\/em><\/strong>.<\/em><\/p>\n

\"Fig
Fig 2: Fiddler Capture (Shortened Version)<\/figcaption><\/figure>\n

The injected JavaScript on execution pops up a window to update the font. The analysis was carried out on a Google Chrome browser during which we saw a pop-up to update \u201cChrome Font Pack\u201d. Fig 3. shows the pop-up window.<\/p>\n

\"Fig
Fig 3. Pop-up window which asks user to update Fake Font<\/figcaption><\/figure>\n

When the update button is clicked on, it pops up an instruction page on the screen. It also downloads a malicious ZIP file to Google Chrome\u2019s default download directory. The instructions displayed on the pop-up window asks the user to execute the file.<\/p>\n

\"Fig
Fig 4. Pop up window with instructions and downloads malicious ZIP file<\/figcaption><\/figure>\n

The downloaded ZIP file i.e., \u2018ttf.zip\u2019 consists of a malicious \u2018ttf.js\u2019 file. When the user clicks on \u2018ttf.js\u2019 it gets executed by \u2018cscript.exe\u2019 and downloads the malicious executable i.e., Monero miner.<\/p>\n

JavaScript analysis<\/strong><\/p>\n

The Injected JavaScript is obfuscated. It consists of a de-obfuscation routine and a long string which is encoded with Base64.<\/p>\n

\"Fig
Fig 5. Injected JavaScript into Compromised Website<\/figcaption><\/figure>\n

The de-obfuscation of the above-injected JavaScript reveals the below code.<\/p>\n

\"Fig
Fig 6. De-obfuscated version of injected JavaScript<\/figcaption><\/figure>\n

As spotted in above Fig 6, it redirects the user to below malicious URL.<\/p>\n

\u201chxxp:\/\/bmooc[.]net\/wp-content\/service\/cat[.]php?m=f\u201d.<\/p>\n

The above URL fetches another malicious JavaScript code which looks like the below.<\/p>\n

\"Fig
Fig 7. Malicious JavaScript which loads Pop-up window<\/figcaption><\/figure>\n

The above malicious JavaScript loads the pop-up window on only Google Chrome and Firefox browsers. This, in turn, prompts the user to download the fake font update i.e., \u2018ttf.zip\u2019 file and gives instructions on how to install it.<\/p>\n

Monero miner post-infection activity<\/strong><\/p>\n

On successful execution, the Monero miner generates the below post-infection traffic.<\/p>\n

\"Fig
Fig 8. Post infection traffic of Monero Miner<\/figcaption><\/figure>\n

At the time of analysis, the CnC server did not respond as expected.<\/p>\n

Using the old trick of compromising websites with known vulnerabilities turns out to be an effective way of mass infection. This campaign also makes use of compromised websites in order to infect mass users with Monero miner. This forms distributed network of Monero miners. To solve the complex job of mining digital currency, such distributed networks of miner pools turns out to be an effective tool. We advise our users to stay protected by keeping their antivirus<\/a> up to date with the latest security updates.<\/p>\n

Indicators of compromise<\/strong><\/p>\n

bmooc[.]net
\nbuyorganicvisitors[.]com
\n47D3C7B7510F7AA962B184CBF41EF630<\/p>\n

Subject Matter Experts<\/strong><\/p>\n

Pradeep Kulkarni | Prashant Tilekar, Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

Ransomware outbreaks have been on the rise for quite some time now but suddenly we are observing a change in this trend. \u00a0Seems like the rise observed in cryptocurrency valuations especially for Bitcoins is making attackers to go after cryptocurrency mining. Cryptocurrency miner malware have become hot attack vectors for cybercriminals. By looking at the […]<\/p>\n","protected":false},"author":31,"featured_media":85218,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[719,998,1535,1534,1533,561],"class_list":["post-85205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","tag-bitcoin","tag-compromised-websites","tag-malicious-javascripts","tag-miner","tag-monero","tag-vulnerabilities"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85205"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85205"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85205\/revisions"}],"predecessor-version":[{"id":85221,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85205\/revisions\/85221"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85218"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}