Cryptojacking Campaign Infected Online Thesaurus With Over 5 Million Visitors

Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize Thesaurus, one of the well-known platforms with 5 million monthly visitors.

Cybersecurity analysts at Group-IB recently found a cryptojacking scheme on a popular Thesaurus site, infecting visitors with malware to mine cryptocurrency and potentially deploy more harmful software.

Group-IB’s 24/7 monitoring spotted malicious archives flagged by Group-IB MXDR, revealing a surge in malware across multiple customer companies with unusual archive names like ‘chromium-patch-nightly.00.[0-9]{3}.[0-9]{3}.zip.’ 

However, the commonality suggested a shared source and unconventional attack.

Cryptojacking Campaign

The malicious archives were sent to Group-IB’s Malware Detonation Platform, where they were analyzed in a secure virtual environment. The archives contained a dropper installing XMRig Coinminer, used for Monero cryptocurrency mining, known for its anonymity features.

Analysts used MXDR’s EDR module to pinpoint the archive source, discovering they were downloaded to the Downloads folder on affected workstations.

Full path to the downloaded archive (Source – Group-IB)

Since the Downloads folder is commonly used for downloads, specialists examined browser history using a built-in Group-IB EDR feature, extracting artifacts to trace the malicious sample’s source.

Forensic data collection (Source – Group-IB)

Group-IB analysts traced a sneaky infection chain, where visiting the thesaurus website led to automatic malicious archive downloads. Intriguingly, the mischief avoided the antonyms section. 

After analyzing with Group-IB Malware Detonation, they checked for dropper activity using Header.ImageFileName filter, finding traces but no actual launch.

Group-IB found no host launches for the downloaded dropper and promptly alerted customers, offering context and prevention tips in the MXDR system’s incident comments section.

Specialist’s comment (Source – Group-IB)

Confirmation from the Malware Detonation Platform instantly neutralizes the threat of the archived file, with Group-IB MXDR’s EDR agent auto-blocking and quarantining malicious files. It also shares malicious file hashes, impacting other customers’ blocklists, even if they never had the file.

Millions trusted the renowned thesaurus site, but it housed a miner, exposing the myth that popular sites are safe. Threat actors used well-known tactics, including drive-by downloads and social engineering via a fake error page.

Recommendations

Here below we have mentioned all the recommendations:-

  • Make sure to keep the operating system and other software updated.
  • Always stick to official sources for software and updates.
  • Monitor workstation resource usage for cryptominer signs through Task Manager or similar tools when CPU/GPU usage spikes unusually.
  • Employ EDR solutions to stop malicious downloads and prevent attacks at the earliest stage.
  • Safely analyze suspicious files with advanced Malware Detonation Platforms.
Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every second,…

10 hours ago

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks from…

11 hours ago

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers can…

11 hours ago

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware disguises…

11 hours ago

New Research Uncovered Dark Internet Service Providers Used For Hacking

Bulletproof hosting services, a type of dark internet service provider, offer infrastructure to cybercriminals, facilitating…

11 hours ago

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria to…

2 days ago