February 13, 2018 at
New evidence suggests that malicious attackers have been targeting Android devices for the last few months to affect them with a cryptojacking malware that uses the device to covertly mine monero. This new campaign was discovered by researchers from the cybersecurity firm, Malwarebytes. This campaign, which researchers have dubbed a drive-by cryptojacking campaign has been active ever since November 2017.
How the campaign works
This campaign operates by the victim being redirected to a certain webpage that installs the malware in the victim’s browser which is in turn used to mine monero without the affected device owner’s knowledge.
Before visitors are redirected, they are requested to solve a CAPTCHA code to prove that they are not a bot.
The CAPTCHA code is usually accompanied with a message that states that their device is demonstrating suspicious behavior and subsequently requests that the user should verify themselves using the CAPTCHA code. Surprisingly the warning message adds that the browser will use the visitor’s device to mine monero until they have verified themselves.
However, in the few seconds that it takes for the visitor to solve the CAPTCHA code, the website infects the used device with a cryptojacking malware that will keep running in the background without the device owner’s knowledge. If left running long enough, this malware could have potentially damaging effects on the device.
What the research says
In a recent blog post that was authored by Malwarebytes’ lead malware intelligence analyst, Jerome Segura, this malware will remain active until such time that the victim enters code w3FaSO5R and press “continue” on their affected device.
Once the code is entered, the user will be redirected to their browser home page.
According to researchers, victims will likely be presented with this redirection either via casual browsing session or through infected ads or apps.
The blog post states that this campaign has likely been designed to target low hanging fruit in terms of traffic, such as bots, however, it is possible that millions of real users have fallen victim to this elaborate cryptojacking hack.
So far researchers have identified five different domains which all carry the same CAPTCHA code, however, each domain uses a different CoinHive site key. What makes the scope of this attack worrisome is that two affected domains, in particular, had over 30 million visits in the last month alone. All five domains received a combined daily average of 800,000 visits.
Segura stated that there are likely more affected domains out there. The analyst added that it is impossible to estimate how much monero this campaign has yielded, but considering the cryptocurrency low hash rate, it is unlikely that this campaign has made the responsible hackers more than a few thousand dollars per month.
However, Segura cautioned that similar attacks are likely to become popular in the next few months.
The rise of cryptojacking attacks
There has been a rapid increase in cryptojacking attacks in the last few months as most cryptocurrencies, including monero, experience a price increase. Most attacks took the form of a malware attack that is browser-based.
According to Segura, the attacks started by targeting desktops or PCs, but these attacks have since evolved to include personal devices such as smartphones and tablets.
Last weekend, another cryptojacking campaign has been discovered which targeted websites that use the popular plugin BrowseAloud. The plugin was discovered to have been compromised and it affected the visitors of over 4,000 different websites including governmental websites.