Millions of Android Users Hacked by Dangerous Drive-by Cryptomining Attack to Mine Monero

A newly discovered Cryptoming campaign called Drive-by Cryptomining targeted million of Android user to mine Monerocoins and this campaign Started around November 2017 using different type of malicious domain.

A Malicious lucrative Payload’s are distributing from a particular hacking group that mainly abusing android users device to mine the Monero Cryptocurrency.

Past few year Crypto currency mining is a very easy method for cyber criminals to Generating the huge revenue by hijacking the Web- browser and injecting the malicious script and taking control of the CPU Usage from the Victims.

Drive-by Cryptomining is an automated process without user interaction, it drives into victims device and silently processing its mining operation.

How Does this  Drive-by Cryptomining Redirecting Users

In this case, when users visiting the attacker website, it provides fake notification that claimed as “your device showing suspicious surfing Behaviour” and gives a CAPTCHA to solve in order to prove that they aren’t bots and user urged to resolve the ON.

Once users resolve the CAPTCHA by providing the code and press continue, suddenly user devices will be mining Monero at full speed and use complete processor speed of the device.

Researchers analyzing the code behind of this operation revealed that, it redirects to google page and make users believe that they are not a bot.

According to Malwarebytes, It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

There are many domains that use the same CAPTCHA code to mine Menero and the very first domain was registered on Nov 2017.

Domain name, registration date

• recycloped[.]com 2017-11-22
• rcyclmnr[].com 2017-12-01
• rcylpd[.]com 2018-01-03
• rcyclmnrepv[.]com 2018-01-17
• rcyclmnrprd[.]com 2018-01-17
• rcyclmnrhgntry[.]com 2018-01-22

Apart from this few domains traffic are rising extremely high within a short period of time and each domain daily visitors estimated as 8,00,000 visitors per day and more than 30 Million visitors per month.

“It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month”. Malwarebytes said.

Indicators of compromise

Domains:

rcyclmnr[].com
rcylpd[.]com
recycloped[.]com
rcyclmnrhgntry[.]com
rcyclmnrprd[.]com
rcyclmnrepv[.]com

Referring websites (please note that they should not be necessarily considered malicious):

panelsave[.]com
offerreality[.]com
thewise[.]com
go.bestmobiworld[.]com
questionfly[.]com
goldoffer[.]online
exdynsrv[.]com
thewhizmarketing[.]com
laserveradedomaina[.]com
thewhizproducts[.]com
smartoffer[.]site
formulawire[.]com
machieved[.]com
wtm.monitoringservice[.]co
traffic.tc-clicks[.]com
stonecalcom[.]com
nametraff[.]com
becanium[.]com
afflow.18-plus[.]net
serie-vostfr[.]com
pertholin[.]com
yrdrtzmsmt[.]com
yrdrtzmsmt.com
traffic.tc-clicks[.]com

Conhive site keys:

gufKH0i0u47VVmUMCga8oNnjRKi1EbxL
P3IN11cxuF4kf2kviM1a7MntCPu00WTG
zEqkQef50Irljpr1X3BqbHdGjMWnNyCd
rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq