Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize Thesaurus, one of the well-known platforms with 5 million monthly visitors.
Cybersecurity analysts at Group-IB recently found a cryptojacking scheme on a popular Thesaurus site, infecting visitors with malware to mine cryptocurrency and potentially deploy more harmful software.
Group-IB’s 24/7 monitoring spotted malicious archives flagged by Group-IB MXDR, revealing a surge in malware across multiple customer companies with unusual archive names like ‘chromium-patch-nightly.00.[0-9]{3}.[0-9]{3}.zip.’
However, the commonality suggested a shared source and unconventional attack.
Cryptojacking Campaign
The malicious archives were sent to Group-IB’s Malware Detonation Platform, where they were analyzed in a secure virtual environment. The archives contained a dropper installing XMRig Coinminer, used for Monero cryptocurrency mining, known for its anonymity features.
Analysts used MXDR’s EDR module to pinpoint the archive source, discovering they were downloaded to the Downloads folder on affected workstations.
Since the Downloads folder is commonly used for downloads, specialists examined browser history using a built-in Group-IB EDR feature, extracting artifacts to trace the malicious sample’s source.
Group-IB analysts traced a sneaky infection chain, where visiting the thesaurus website led to automatic malicious archive downloads. Intriguingly, the mischief avoided the antonyms section.
After analyzing with Group-IB Malware Detonation, they checked for dropper activity using Header.ImageFileName filter, finding traces but no actual launch.
Group-IB found no host launches for the downloaded dropper and promptly alerted customers, offering context and prevention tips in the MXDR system’s incident comments section.
Confirmation from the Malware Detonation Platform instantly neutralizes the threat of the archived file, with Group-IB MXDR’s EDR agent auto-blocking and quarantining malicious files. It also shares malicious file hashes, impacting other customers’ blocklists, even if they never had the file.
Millions trusted the renowned thesaurus site, but it housed a miner, exposing the myth that popular sites are safe. Threat actors used well-known tactics, including drive-by downloads and social engineering via a fake error page.
Here below we have mentioned all the recommendations:-
Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every second,…
The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks from…
Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers can…
Researchers have discovered a new Android banking trojan targeting Indian users, and this malware disguises…
Bulletproof hosting services, a type of dark internet service provider, offer infrastructure to cybercriminals, facilitating…
United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria to…