• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Wiki Page Reveals Minr Malware

Wikipedia Page Review Reveals Minr Malware

February 19, 2018Denis SinegubkoEspanolPortugues

50
SHARES
FacebookTwitterSubscribe

Since December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag).

Injected script at the very top of HTML code
Injected script at the very top of HTML code

This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a few years ago, we’ve hardly seen any new malware using it. It was definitely a surprise for us when approximately 3 months ago we noticed the JJEncode obfuscator was once again in use: Minr cryptominer began using it to obfuscate scripts that they loaded from multiple domains like web.clod[.]pw.

Here’s a description of the cryptojacking malware, Minr code, and related domain from a Bad Packet Report tweet:

Using @urlscanio we can quickly find the malicious "Minr" code, which points to web.clod[.]pw — this is a known #Minr domain.

However, the JavaScript itself is obfuscated using a method called "JSFuck" — this can be decoded using a tool such as https://t.co/ucgL8xeASb pic.twitter.com/ccNmtTdJhS

— Bad Packets Report (@bad_packets) December 31, 2017

Stati[.]bid Cryptominer

From time to time, we deobfuscate injected scripts to check if there’s something new there.

Decoded Script
Decoded Script

We had been tracking one particular infection for a while, and noticed a few weeks ago that the malware had begun loading the Minr webminer from web.stati[.]bid – a domain which was registered very recently on February 2nd, 2018.

Wikipedia Incident

Interestingly enough, this malware was also the reason for reverting a series of edits to one Wikipedia article – which lead to a discussion on whether the incident required attention of Wikipedia administrators.

It appears that on February 2nd (the same day the stati[.]bid domain was registered), a Wikipedia user edited an article about “Feminist views on transgender topics” and added a link to a relevant article on a third-party site.

The third-party site happened to be infected with the stati[.]bid malware, and another user who reviewed the edits a few hours later noticed the infection, reverted the changes, contacted the author of the changes and solicited advice in the Wikipedia:Teahouse. One of administrators replied that it was appropriate “to draw the attention of administrators with the appropriate skills and experience”, since this case had potential for “harm and damage to Wikipedia’s reputation.”

Five days later on February 7th, another user took the time to decode the malicious script and concluded that there was no intention to contaminate that Wikipedia page and it was purely coincidence that a user linked to a site that happened to be infected.

In our experience, this type of attack primarily impacts WordPress sites where the obfuscated Minr miner is injected at the very top of the active theme’s header.php file.

Conclusion

We are seeing a variety of creative approaches from bad actors seeking to spread infections to websites in order to mine cryptocurrencies. Some examples include CoinHive injections and hidden iframes within public repositories hosted on Github, cryptominer infections in both Drupal and Magento, and the re-use of old infections to distribute unwanted miners.

To protect your web assets from the creativity of bad actors, one of the best possible security practices you can employ is file integrity monitoring on your websites – this will help you detect malware injection, spam, defacements, database errors and downtime.

If you believe your website has been compromised by malware and need assistance cleaning up your website, we’re always happy to help! You can learn more about how hackers and cryptocurrencies are impacting website security from our Cryptocurrency Mining Malware ebook.

50
SHARES
FacebookTwitterSubscribe

Categories: Website SecurityTags: Hacked Websites

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him not online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.