Domain siblings and contents of the second javascript file

In my previous post, we saw that someone is apparently injecting Monero-harvesting code into what appear to be compromised websites. One method was to inject an invisible frame with a page that contained a script calling https://coin-hive.com/lib/coinhive.min.js, which is the Coinhive javascript Monero miner. Another method, present on the same page (presumably in case the browser used didn't support frames) was to directly call a javascript file from a different site. The contents of this javascript file is an array of numbers, followed by a loop.
This code extracts ASCII codes from the string of numbers, revealing obfuscated HTML.
The result calls the same Coinhive miner, but also another script that appears to create a bunch of ads. I'll run that on a victim machine and post the output later.

In the meantime, both methods used the same Coinhive script with the same unique site ID. This ID is to identify what account gets credited with the site owner's share of the cryptocurrency (the rest goes to Coinhive). This means that the site ID can be used to identify which sites were compromised by a common threat actor. Naturally, one would expect the threat actor to register a number of unique site IDs and rotate them to avoid too many sites being attributed to them.

The domains for the invisible frame and the obfuscated javascript were different, but a quick domain search revealed that they were obviously related.

The next steps are to run the advertising javascript and see what it pulls in, and try to find out how many sites have been compromised and injected with scripts that use the same, or related, unique Coinhive IDs. Interestingly, Coinhive's site (coin-hive.com) is down at the time of this post.Sucuri posted about a week ago regarding nefarious cryptocurrency mining on compromised sites.

Comments

Post a Comment

Popular posts from this blog

Javascript-based cryptocurrency mining script injection

Image
While looking closer at the Showtime embedded cryptocurrency miner mini-scandal, I wondered how many other pages had Coinhive embedded. After a quick Google search, I found several sites that seemed to have the crytocurrency mining code embedded, apparently without the page owners' knowledge, based on the content of the page. The code was embedded within an invisible iframe (a red flag) and the intermediate site that redirected to Coinhive has a history of malware activity. Interestingly, the frame was not always present, forcing a visit to Google's cache: Presumably compromised site: Injected frame: recaptcha-in.pw source code, in its entirety: We see the call to the Coinhive javascript file (coinhive.min.js). A quick search for the script shows expected results for cryptocurrency mining sites, but also a selection of possibly compromised sites: enrollsa.com/locations eduedgepro.com newmarketcomputerservices.com/slide-page/company/ sugar-packed.com arifpu
Read more

Apple Phishing email leads to a fake Apple login page

Image
Today, I'm looking at a phishing email sent to my Hotmail account. At first glance, it looks pretty standard; set to "High Importance" and littered with exclamation points to create a sense of urgency, the Apple logo and a real Apple support link at the bottom for legitimacy, and an IP address to create a sense of technicality. However, there are a few giveaways: Misspellings and bad grammar throughout Apple link and boilerplate text at the bottom are for Apple Australia, which is the wrong country for the intended target IP address belongs to Comcast, which is not the ISP of the intended target Generic greeting (Dear Apple User!) rather than a personalized greeting The iPhone image is loaded from an external source that a legitimate Apple email would not be using (Wikimedia) and has Indonesian (i.e. Malay) alt text (alt="Hasil gambar untuk iphone 6" src="hxxps://upload.wikimedia.org/wikipedia/commons/thumb/0/01/IPhone6_silver_frontface.png/15
Read more