Cyber Criminals using Malvertising Campaign to inject coinhive Cryptocurrency Miner using Google DoubleClick Ads and deployed it on legitimate websites.
coinhive is a Cryptocurrency miner that mainly using Javascript to the mine cryptocurrency like Menero that runs on user systems while they visit a website.
Attackers now Abusing google DoubleClick ads and running Malvertising Champaign into high traffic website to run the coinhive crypto miner and other web-based miners that connect to some private tools.
This Malware detected as JS_COINHIVE.GN and it mainly affected countries include Japan, France, Taiwan, Italy, and Spain.
Security researchers had a close look at 5 malicious domain where the traffic has dramatically increased and finally they confirmed that the traffic coming from DoubleClick advertisements.
Also, There are 2 web miners scripts are running in the malicious webpage and the script displays in the advertisement from DoubleClick.
These affected web pages are showing legitimate Google ads at the time of two web miners performing their task.
Also Read: Coincheck Cryptocurrency Exchange Hacked & Stolen More than $500 Million Worth Currency
Google Doubleclick advertisement contains javascript code that can generate a random code form 1 to 101.
When Random numbers generate a variable and it will be more than 10, then it will call the script called coinhive.min.js.
It will help to mine almost 80% of CPU Power and later a private web miner will be launched.
According to Trend Micro, after de-obfuscating the private web miner called mqoj_1.js, there will be a JavaScript code that is still based on Cognitive. The modified web miner will use a different mining pool at wss[:]//ws[.]l33tsite[.]info[:]8443. This is done to avoid Coinhive’s 30% commission fee.
So Blocking the JavaScript-based applications from running on browsers can prevent Coinhive miners from using CPU resources.
SHA256
| e72737a8cf29eeae795a3918e56c07b4efa2e9ce241ec56053d6a95f878be231 |
| 296d081b6b0a6d1a09b5c54c35392a4d2ea0bec9a0c99e6351374628b713d8ed |
| Malicious domains | Attribution |
| doubleclick1[.]xyz | Malvertising Domain |
| doubleclick2[.]xyz | Malvertising Domain |
| doubleclick3[.]xyz | Malvertising Domain |
| doubleclick4[.]xyz | Malvertising Domain |
| doubleclick5[.]xyz | Malvertising Domain |
| doubleclick6[.]xyz | Malvertising Domain |
| api[.]l33tsite[.]info | Private Webminer Domain |
| ws[.]l33tsite[.]info | Private Webminer Domain |
In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow…
A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers…
Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack…
The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has…
A security vulnerability in Nagios XI 2024R1.2.2, tracked as CVE-2024-54961, has been disclosed, allowing unauthenticated…
Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities…
