Javascript-based cryptocurrency mining script injection

While looking closer at the Showtime embedded cryptocurrency miner mini-scandal, I wondered how many other pages had Coinhive embedded. After a quick Google search, I found several sites that seemed to have the crytocurrency mining code embedded, apparently without the page owners' knowledge, based on the content of the page. The code was embedded within an invisible iframe (a red flag) and the intermediate site that redirected to Coinhive has a history of malware activity. Interestingly, the frame was not always present, forcing a visit to Google's cache:

 Presumably compromised site:


Injected frame:

recaptcha-in.pw source code, in its entirety:
We see the call to the Coinhive javascript file (coinhive.min.js). A quick search for the script shows expected results for cryptocurrency mining sites, but also a selection of possibly compromised sites:

  • enrollsa.com/locations
  • eduedgepro.com
  • newmarketcomputerservices.com/slide-page/company/
  • sugar-packed.com
  • arifpuglia.it
  • and many others...
There are a few elements that are always, or nearly always, present besides the script to recaptcha-in.pw:
  • An identifier to Coinhive (pool?): beyOOUUa39A4G1SywiY9I2QPZn3rUTpW
  • A second script calling a javascript file from google-statik.pw
Next post I'll go over the second script, and how related google-statik.pw is to recaptcha-in.pw (spoiler: very).

Comments

Post a Comment

Popular posts from this blog

Domain siblings and contents of the second javascript file

Image
In my previous post, we saw that someone is apparently injecting Monero-harvesting code into what appear to be compromised websites. One method was to inject an invisible frame with a page that contained a script calling https://coin-hive.com/lib/coinhive.min.js, which is the Coinhive javascript Monero miner. Another method, present on the same page (presumably in case the browser used didn't support frames) was to directly call a javascript file from a different site. The contents of this javascript file is an array of numbers, followed by a loop. This code extracts ASCII codes from the string of numbers, revealing obfuscated HTML. The result calls the same Coinhive miner, but also another script that appears to create a bunch of ads. I'll run that on a victim machine and post the output later. In the meantime, both methods used the same Coinhive script with the same unique site ID. This ID is to identify what account gets credited with the site owner's share of
Read more

Apple Phishing email leads to a fake Apple login page

Image
Today, I'm looking at a phishing email sent to my Hotmail account. At first glance, it looks pretty standard; set to "High Importance" and littered with exclamation points to create a sense of urgency, the Apple logo and a real Apple support link at the bottom for legitimacy, and an IP address to create a sense of technicality. However, there are a few giveaways: Misspellings and bad grammar throughout Apple link and boilerplate text at the bottom are for Apple Australia, which is the wrong country for the intended target IP address belongs to Comcast, which is not the ISP of the intended target Generic greeting (Dear Apple User!) rather than a personalized greeting The iPhone image is loaded from an external source that a legitimate Apple email would not be using (Wikimedia) and has Indonesian (i.e. Malay) alt text (alt="Hasil gambar untuk iphone 6" src="hxxps://upload.wikimedia.org/wikipedia/commons/thumb/0/01/IPhone6_silver_frontface.png/15
Read more