Thursday, March 28, 2024

Millions of Android Users Hacked by Dangerous Drive-by Cryptomining Attack to Mine Monero

A newly discovered Cryptoming campaign called Drive-by Cryptomining targeted million of Android user to mine Monerocoins and this campaign Started around November 2017 using different type of malicious domain.

A Malicious lucrative Payload’s are distributing from a particular hacking group that mainly abusing android users device to mine the Monero Cryptocurrency.

Past few year Crypto currency mining is a very easy method for cyber criminals to Generating the huge revenue by hijacking the Web- browser and injecting the malicious script and taking control of the CPU Usage from the Victims.

Drive-by Cryptomining is an automated process without user interaction, it drives into victims device and silently processing its mining operation.

How Does this  Drive-by Cryptomining Redirecting Users

In this case, when users visiting the attacker website, it provides fake notification that claimed as “your device showing suspicious surfing Behaviour” and gives a CAPTCHA to solve in order to prove that they aren’t bots and user urged to resolve the ON.

Once users resolve the CAPTCHA by providing the code and press continue, suddenly user devices will be mining Monero at full speed and use complete processor speed of the device.

Researchers analyzing the code behind of this operation revealed that, it redirects to google page and make users believe that they are not a bot.

According to Malwarebytes, It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

There are many domains that use the same CAPTCHA code to mine Menero and the very first domain was registered on Nov 2017.

Domain name, registration date

Apart from this few domains traffic are rising extremely high within a short period of time and each domain daily visitors estimated as 8,00,000 visitors per day and more than 30 Million visitors per month.

“It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month”. Malwarebytes said.

Indicators of compromise

Domains:

rcyclmnr[].com
rcylpd[.]com
recycloped[.]com
rcyclmnrhgntry[.]com
rcyclmnrprd[.]com
rcyclmnrepv[.]com

Referring websites (please note that they should not be necessarily considered malicious):

panelsave[.]com
offerreality[.]com
thewise[.]com
go.bestmobiworld[.]com
questionfly[.]com
goldoffer[.]online
exdynsrv[.]com
thewhizmarketing[.]com
laserveradedomaina[.]com
thewhizproducts[.]com
smartoffer[.]site
formulawire[.]com
machieved[.]com
wtm.monitoringservice[.]co
traffic.tc-clicks[.]com
stonecalcom[.]com
nametraff[.]com
becanium[.]com
afflow.18-plus[.]net
serie-vostfr[.]com
pertholin[.]com
yrdrtzmsmt[.]com
yrdrtzmsmt.com
traffic.tc-clicks[.]com

Conhive site keys:

gufKH0i0u47VVmUMCga8oNnjRKi1EbxL
P3IN11cxuF4kf2kviM1a7MntCPu00WTG
zEqkQef50Irljpr1X3BqbHdGjMWnNyCd
rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq
Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles