Threat Management, Threat Management, Malware

Millions of machines download XMRig cryptominer after users click on devious links

A newly discovered malicious URL redirection campaign that infects users with the XMRig Monero cryptocurrency miner has already victimized users between 15 and 30 million times, researchers have reported.

Operating for less than five months, the campaign has particularly hit hard countries in southeast Asia, northern Africa and South America, according to a Jan. 24 blog post from Palo Alto Networks' Unit 42 threat research team. Telemetry data indicates that over 3.5 million victims are based in Thailand alone, with Vietnam (more than 1.8 million) and Egypt (roughly 1.1 million) the next most frequently attacked geographic targets.

The attacks are generally carried out by combining redirection services with the URL shortener Bitly, in order to present deceitful malvertising links on various legitimate websites. These advertisements were delivered via Adfly, an ad-based redirection service.

"It appears that Adfly is the method of distribution to unwitting users, while Bitly is being abused by the malware authors to eventually download XMRig," explained Christopher Budd, senior threat communications manager at Palo Alto, in an email interview with SC Media. (Budd noted that, upon disclosure, Bitly removed the offending URLs in timely fashion.)

Website visitors who click on these shortened links believe they are downloading advertised files, updates or services (e.g. file sharing services), but they are actually being redirected to another domain that use a infection chain to download XMRig, a legitimate mining tool that in this case is being used unethically to secretly harness victims' processing power.

The infection process typically starts with the downloading of a malicious executable that in turn drops a VBS and LNK file (the latter for persistence). The VBS file then leverages various HTTP redirection services (prior to Oct. 20, 2017, it was leveraging Microsoft Windows' BITSAdmin tool) to download and execute another remote VBS file. This secondary VBS file fingerprints the infected machine and then installs the appropriate version of XMRig.

Researchers have already identified over 250 unique Windows-based executables used in this campaign, more than half of which were downloaded from 4sync, an online cloud storage provider. In addition to executing the cryptominer via VBS files, the malware also uses XMRig proxy services to hide the mining pool destination and uses Nicehash, a marketplace that connects customers who wish to buy or sell hashing processing power.

Because Bitly clicks can be tracked, Unit 42 researchers were able to identify roughly 15 million redirections as a result of this campaign. However, fewer than half of the observed XMRig campaign samples use bitly, leading Palo Alto researchers to conclude that the actual number of malicious redirects is likely closer to 30 million.

"Monero mining campaigns are certainly not a new development... However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time," wrote blog post author and Palo Alto threat intelligence analyst Josh Grunzweig. "By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale."

In a separate blog post published today, Unit 42 revealed that the Iran-linked APT group known as OilRig clandestinely installed an Internet Information Services (IIS) backdoor called RGDoor on the web servers of eight Middle Eastern government organizations, as well as one financial institution and one educational institution.

The researchers believe the backdoor was installed as an insurance measure in case these institutions discovered that they had been previously compromised and infected with a malicious webshell called TwoFace. In such a scenario, the attackers would still have access to the webservers, even if TwoFace was removed.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.