Cryptocurrency miners are some of the most dangerous malware that are currently being directed against targets worldwide. Attack campaigns carrying them have the capability of causing much damage to the target hosts. A recent uncovered exploit has led to the discovery that government sites around the world have been infected by cryptocurrency miners of different types.
Cryptocurrency Miners Infection Mechanism
The primary way of getting infected with this type of threat is the redirection to malware sites. The criminals insert dangerous scripts into the sites and attempt to use different tactics in order to lead the users into infecting themselves. One of the popular techniques is the creation of malware sites that contain links to the malware executables. In the past few months malware scripts are directly embedded in the site’s code and run via the browser instances.
In other cases the cryptocurrency miner code can be embedded using email messages. They can be customized using different tactics depending on the target end users. The first type is the use of email attachments. Using appropriate social engineering body contents text the hackers attempt to manipulate the targets into opening them. Another option would be to insert malware hyperlinks that redirect the users to malware hosted instances. The criminals can also opt to use two other strategies that deliver the executable files to the intended targets.
Malware software installers represent hacker-modified copies of the legitimate files. Free or trial versions of popular software are taken from their official download sites and modified to include dangerous code. They are then distributed on malware sites and through email spam messages. In a similar way infected documents are the other possibility that relies on vulnerable macros inserted into them. Upon execution the victims will see a notification prompt that asks them to run the built-in scripts. If this is done the virus infection follows.
The ongoing attack infection behind the government cryptocurrency attacks seem to originate from the use of malware scripts. The criminals behind the campaign have used a browser hijacker plugin made compatible with the most popular web browsers (Mozilla Firefox, Safari, Google Chrome, Internet Explorer, Microsoft Edge and Opera). They are usually distributed on the official repositories and utilize fake developer credentials and user reviews to manipulate the victims into using them.
The infection route in this example is the distribution of a fake plugin called Browser Aloud which is being advertised by a company called Texthelp Limited. The site loads a specific Javascript code that is able to read text aloud. And while the service itself is not malicious it has been infiltrated by computer hackers that were able to hijack the code.
Cryptocurrency Miners Route of Infections
The affected government sites have been found to utilize the Browse Aloud extension as part of their service to users. Loading the relevant code from the external source has led to the mass deployment of cryptocurrency miners. As soon as the infections have been reported in the security community an in-depth investigation has been initiated. At the moment no other malware activity has been detected coming from the site. Like other related threats it aims to make use of the available computer resources in order to generate income by processing complex operations. And unlike other similar threats it limits the amount of processing power that is hijacked.
At the moment the security experts discovered that government sites around the world have fallen victim to the infections. The ongoing analysis shows that affected pages are part of the official sites of the following institutions:
- US Courts (US)
- General Medical Council (UK)
- National Health Service (UK)
- Manchester City Council (UK)
- Queensland Government (AU)
- Information Commissioner’s Office (UK)
Computer users can check if they have become victim of miner software by downloading a quality anti-malware scanner.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: