• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Malware • Security  /  Massive campaign delivering Monero Miner via compromised websites!
Massive campaign delivering Monero Miner via compromised websites!
24 November 2017

Massive campaign delivering Monero Miner via compromised websites!

Written by Pradeep Kulkarni
Pradeep Kulkarni
Malware, Security

Ransomware outbreaks have been on the rise for quite some time now but suddenly we are observing a change in this trend.  Seems like the rise observed in cryptocurrency valuations especially for Bitcoins is making attackers to go after cryptocurrency mining. Cryptocurrency miner malware have become hot attack vectors for cybercriminals. By looking at the current complexities of mining, a mining pool of computers is needed for effective mining of cryptocurrencies. To achieve this, cybercriminals are attacking end users’ machines with miner malware with the aim of creating mining pools. This type of mining attacks can be termed as distributed mining.

In this blog post, we will be talking about an ongoing distributed mining campaign targeted towards mining of cryptocurrency called Monero. Monero (XMR) is an open source cryptocurrency which was launched in April 2014. Cryptocurrency mining requires massive computation power. Cybercriminals are misusing the processing power of end user devices to mine targeted cryptocurrency. In order to achieve this, hackers are compromising several websites mostly hosted on WordPress to deliver the Monero miner.

As per the telemetry received at Quick Heal Security Labs, the compromised websites include those of Government, Pharmaceuticals, and Educational institutions.

Attack chain

This infographic depicts the attack chain of this campaign.

Fig 1: Attack Chain
Fig 1: Attack Chain

In this campaign, websites with known vulnerabilities are being targeted. Once exploited, a malicious obfuscated JavaScript is injected into web pages. When a user visits such compromised websites, the injected JavaScript lures them into downloading a fake font update. On execution of the fake font update, it downloads the Monero miner and executes on user’s system. This attack is currently only targeting users of Google Chrome and Firefox browser.

Let’s deep dive into the various phases of this attack. The below fiddler session capture shows the attack sequence. The attack sequence is that of a compromised website of a Pharmaceutical company.

Fig 2: Fiddler Capture (Shortened Version)
Fig 2: Fiddler Capture (Shortened Version)

The injected JavaScript on execution pops up a window to update the font. The analysis was carried out on a Google Chrome browser during which we saw a pop-up to update “Chrome Font Pack”. Fig 3. shows the pop-up window.

Fig 3. Pop-up window which asks user to update Fake Font
Fig 3. Pop-up window which asks user to update Fake Font

When the update button is clicked on, it pops up an instruction page on the screen. It also downloads a malicious ZIP file to Google Chrome’s default download directory. The instructions displayed on the pop-up window asks the user to execute the file.

Fig 4. Pop up window with instructions and downloads malicious ZIP file
Fig 4. Pop up window with instructions and downloads malicious ZIP file

The downloaded ZIP file i.e., ‘ttf.zip’ consists of a malicious ‘ttf.js’ file. When the user clicks on ‘ttf.js’ it gets executed by ‘cscript.exe’ and downloads the malicious executable i.e., Monero miner.

JavaScript analysis

The Injected JavaScript is obfuscated. It consists of a de-obfuscation routine and a long string which is encoded with Base64.

Fig 5. Injected JavaScript into Compromised Website
Fig 5. Injected JavaScript into Compromised Website

The de-obfuscation of the above-injected JavaScript reveals the below code.

Fig 6. De-obfuscated version of injected JavaScript
Fig 6. De-obfuscated version of injected JavaScript

As spotted in above Fig 6, it redirects the user to below malicious URL.

“hxxp://bmooc[.]net/wp-content/service/cat[.]php?m=f”.

The above URL fetches another malicious JavaScript code which looks like the below.

Fig 7. Malicious JavaScript which loads Pop-up window
Fig 7. Malicious JavaScript which loads Pop-up window

The above malicious JavaScript loads the pop-up window on only Google Chrome and Firefox browsers. This, in turn, prompts the user to download the fake font update i.e., ‘ttf.zip’ file and gives instructions on how to install it.

Monero miner post-infection activity

On successful execution, the Monero miner generates the below post-infection traffic.

Fig 8. Post infection traffic of Monero Miner
Fig 8. Post infection traffic of Monero Miner

At the time of analysis, the CnC server did not respond as expected.

Using the old trick of compromising websites with known vulnerabilities turns out to be an effective way of mass infection. This campaign also makes use of compromised websites in order to infect mass users with Monero miner. This forms distributed network of Monero miners. To solve the complex job of mining digital currency, such distributed networks of miner pools turns out to be an effective tool. We advise our users to stay protected by keeping their antivirus up to date with the latest security updates.

Indicators of compromise

bmooc[.]net
buyorganicvisitors[.]com
47D3C7B7510F7AA962B184CBF41EF630

Subject Matter Experts

Pradeep Kulkarni | Prashant Tilekar, Quick Heal Security Labs

 Previous PostEffective Patch Management requires a well-defined strategy
Next Post  Cybersecurity and Compliance requirements: Part 1
Pradeep Kulkarni

About Pradeep Kulkarni

Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...

Articles by Pradeep Kulkarni »

Related Posts

  • SnakeKeylogger: A Multistage Info Stealer Malware Campaign

    March 25, 2025
  • SVC New Stealer on the Horizon

    March 21, 2025
  • data privacy

    The What, How, and Why of Data Privacy

    January 24, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (20) Cyber-attack (36) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (324) cyber security (32) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (12) data protection (25) data security (15) DLP (49) Encryption (16) endpoint security (108) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (14) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies