Monday, November 25, 2024
HomeCryptocurrency hackMalware Abuse Google Ads to Injecting Coinhive Cryptocurrency Miner

Malware Abuse Google Ads to Injecting Coinhive Cryptocurrency Miner

Published on

Cyber Criminals using Malvertising Campaign to inject coinhive Cryptocurrency Miner using Google DoubleClick Ads and deployed it on legitimate websites.

coinhive is a Cryptocurrency miner that mainly using Javascript to the mine cryptocurrency like Menero that runs on user systems while they visit a website.

Attackers now Abusing google DoubleClick ads and running Malvertising Champaign into high traffic website to run the coinhive crypto miner and other web-based miners that connect to some private tools.

- Advertisement - SIEM as a Service

This Malware detected as JS_COINHIVE.GN and it mainly affected countries include Japan, France, Taiwan, Italy, and Spain.

Security researchers had a close look at 5 malicious domain where the traffic has dramatically increased and finally they confirmed that the traffic coming from DoubleClick advertisements.

Also, There are 2 web miners scripts are running in the malicious webpage and the script displays in the advertisement from DoubleClick.

These affected web pages are showing legitimate Google ads at the time of two web miners performing their task.

Also Read: Coincheck Cryptocurrency Exchange Hacked & Stolen More than $500 Million Worth Currency

How does  Coinhive Cryptocurrency Miner Works

Google Doubleclick advertisement contains javascript code that can generate a random code form 1 to 101.

When Random numbers generate a variable and it will be more than 10, then it will call the script called coinhive.min.js.

It will help to mine almost 80% of CPU Power and later a private web miner will be launched.

According to Trend Micro, after de-obfuscating the private web miner called mqoj_1.js, there will be a JavaScript code that is still based on Cognitive. The modified web miner will use a different mining pool at wss[:]//ws[.]l33tsite[.]info[:]8443. This is done to avoid Coinhive’s 30% commission fee.

So Blocking the JavaScript-based applications from running on browsers can prevent Coinhive miners from using CPU resources.

IOC

SHA256

e72737a8cf29eeae795a3918e56c07b4efa2e9ce241ec56053d6a95f878be231
296d081b6b0a6d1a09b5c54c35392a4d2ea0bec9a0c99e6351374628b713d8ed

 

Malicious domainsAttribution
doubleclick1[.]xyzMalvertising Domain
doubleclick2[.]xyzMalvertising Domain
doubleclick3[.]xyzMalvertising Domain
doubleclick4[.]xyzMalvertising Domain
doubleclick5[.]xyzMalvertising Domain
doubleclick6[.]xyzMalvertising Domain
api[.]l33tsite[.]infoPrivate Webminer Domain
ws[.]l33tsite[.]infoPrivate Webminer Domain

 

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their...

Critical Atlassian Vulnerability Exploited To Connect Servers In Mining Networks

Hackers usually shift their attention towards Atlassian due to flaws in its software, especially...