Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize Thesaurus, one of the well-known platforms with 5 million monthly visitors.

Cybersecurity analysts at Group-IB recently found a cryptojacking scheme on a popular Thesaurus site, infecting visitors with malware to mine cryptocurrency and potentially deploy more harmful software.

Group-IB’s 24/7 monitoring spotted malicious archives flagged by Group-IB MXDR, revealing a surge in malware across multiple customer companies with unusual archive names like ‘chromium-patch-nightly.00.[0-9]{3}.[0-9]{3}.zip.’ 

However, the commonality suggested a shared source and unconventional attack.

Cryptojacking Campaign

The malicious archives were sent to Group-IB’s Malware Detonation Platform, where they were analyzed in a secure virtual environment. The archives contained a dropper installing XMRig Coinminer, used for Monero cryptocurrency mining, known for its anonymity features.

Analysts used MXDR’s EDR module to pinpoint the archive source, discovering they were downloaded to the Downloads folder on affected workstations.

Since the Downloads folder is commonly used for downloads, specialists examined browser history using a built-in Group-IB EDR feature, extracting artifacts to trace the malicious sample’s source.

Group-IB analysts traced a sneaky infection chain, where visiting the thesaurus website led to automatic malicious archive downloads. Intriguingly, the mischief avoided the antonyms section. 

After analyzing with Group-IB Malware Detonation, they checked for dropper activity using Header.ImageFileName filter, finding traces but no actual launch.

Group-IB found no host launches for the downloaded dropper and promptly alerted customers, offering context and prevention tips in the MXDR system’s incident comments section.

Confirmation from the Malware Detonation Platform instantly neutralizes the threat of the archived file, with Group-IB MXDR’s EDR agent auto-blocking and quarantining malicious files. It also shares malicious file hashes, impacting other customers’ blocklists, even if they never had the file.

Millions trusted the renowned thesaurus site, but it housed a miner, exposing the myth that popular sites are safe. Threat actors used well-known tactics, including drive-by downloads and social engineering via a fake error page.

Recommendations

Here below we have mentioned all the recommendations:-

• Make sure to keep the operating system and other software updated.
• Always stick to official sources for software and updates.
• Monitor workstation resource usage for cryptominer signs through Task Manager or similar tools when CPU/GPU usage spikes unusually.
• Employ EDR solutions to stop malicious downloads and prevent attacks at the earliest stage.
• Safely analyze suspicious files with advanced Malware Detonation Platforms.