The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.
Figure 1: Timeline of observed Coinhive-related traffic
Note: We saw that ElTest started incorporating cryptocurrency mining on September 19 (highlighted).
Figure 2: Country distribution of EITest’s tech support scam
When a user accesses one of the compromised websites, the website first identifies the browser type via User-Agent information through the HTTP request. It then injects a phishing script directly into the webpage if the user’s browser is Chrome. Our initial tests show that the attack doesn’t affect Firefox.
The phishing script is coded to notify the user to download the Hoefler Text font to properly display the page, but it actually downloads a malicious executable file. EITest takes this up a notch: If the user’s browser is Internet Explorer, he is redirected to a tech support phishing page containing the Coinhive Monero-mining JS script. Below is the snapshot of the malicious script that diverts the user to a traffic direction system (TDS)—a tool that manages redirection of traffic—that then reroutes to the tech support scam website.
The tech support scam webpage poses as a legitimate Microsoft Windows notification, alerting victims that the system has been infected with malware. It will prod the user to call their “technical department” to resolve the issue. Behind the scenes, however, the webpage will load script from Coinhive’s server and launch a JS cryptocurrency miner. Users won’t notice that their system has been affected apart from system lags or performance issues.
Indeed, cybercriminal cryptocurrency mining is gaining traction because it’s an apparent non-zero-sum game. Bad guys can profit even if they don’t invest much on creating their own malware—they can just misuse existing grayware. It also gives them the pseudonymity to keep law enforcement away from their activities.
For end users, however, the impact isn’t just about system wear-and-tear or performance issues. From January 1 to June 24, for instance, our sensors noted that 20% of cryptocurrency-mining activities entailed web- and network-based attacks. From cross-site scripting and remote code execution to brute force attacks and SQL injection, intrusive and malicious cryptocurrency mining can threaten the availability and security of a network or system, and the data stored on them. Worse, victims become part of the problem.
Follow best practices to mitigate cryptocurrency-mining-related attacks. Regularly update and patch your system (including your browsers) and be more prudent against socially engineered attack vectors such as suspicious websites and email attachments. You can consider using JS-blocking applications to prevent scripts like Coinhive’s from running. There’s also a silver lining. Given the nature of Coinhive’s Monero-mining script, it has no persistence mechanism—closing the website/browser will stop the script from running.
Trend Micro Solutions
Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring and application control that minimize the impact of this threat.
Indicators of Compromise:
Domains and IP address related to the TDS Server:
Domain and IP addresses related to the tech support scam:
With additional insights/analysis from Samuel P. Wang