On Oct 30th, 2017 Microsoft Malware Protection Services tweeted about a new cryptocurrency miner on compromised sites.
A very new cryptocurrency miner we found in possibly compromised sites pretends to be legitimate code by using the name “googleanalytics” pic.twitter.com/lDphULt4hX
— Microsoft MMPC (@msftmmpc) October 30, 2017
The malicious code has a few of interesting features that help obfuscate its true nature:
- use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)
- quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)
- use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.
If you remove the layers of obfuscation, it’s still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.
We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this
A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them – they were all WordPress sites. Moreover, all the infected sites also shared the “cloudflare.solutions” malware (now it loads a keylogger script) that we wrote about this April.