Only a few days ago, we released a write up about hackers using compromised websites for bitcoin mining. Just recently we responded to another hacking incident that uses the website visitor’s computer for bitcoin mining.
Bitcoin mining is primarily a means of earning commission on bitcoin transactions. Here is a simplistic explanation of what bitcoin mining is and why hackers want to use your site’s visitors' computers. Each time a bitcoin is bought, traded or sold a record of the transaction must be created. The purpose of the transaction record is to ensure that bitcoins cannot be counterfeited. There is no single or centralized “record keeper”, and transaction records are generated by computers that are required to solve math problems. The first computer to solve the problem correctly creates the record, and the owner of the computer is paid a very lucrative commission.
The competition to be “the one to solve the problem first” has led to the creation of machines that are specifically designed for bitcoin mining. These machines perform computations required to win magnitudes faster than any desktop computer can. The computers also consume a lot of power. The electricity bills can get quite high.
Your website is a lucrative target for hackers
Instead of using an extremely fast computer, hundreds of regular computers can be used simultaneously. If a hacker can make your computer in parallel with hundreds or thousands of other computers, they can then meet or exceed the number of calculations per microsecond that a single high-power machine can provide. The hackers also do not have to pay for the electricity. The above reasons make your website a desirable target for the bitcoin malware attacks. Most sites are exploited through the use of automation. It costs almost nothing to compromise a vulnerable website. The problem for your visitors is that it makes their computers very slow. Most of the CPU cycles of their machines will be used for mining instead of anything else.
Bitcoin mining malware analysis
So now that we know the motivation of the hackers, let’s dig into the code and find out how the hackers code works so that you can understand how to protect yourselves.
Hackers compromise the header file of the website and inject the code that is shown below:
The code screens the visitors’ computers to see if they are bots coming from search engine indexers. If the visitor is determined to be a search engine indexer, then the caches.php file will continue to load the site as intended. The code below shows what the caches.php file looks like.
Note that the last part of the script (in white) above is obfuscated using base64 encoding. You can use our free malware decoder to get the decrypted malware code: https://malwaredecoder.com/
Once we de-obfuscate the code we can see what the real intent of the code is:
This code will be executed in your browser and will initiate four mining threads that will consume most of the CPU power.
The drain of the visitor’s computer resources makes it seem as if it is your website that has the problem. Your website will appear to respond very slowly.
During this incident response, we have discovered that the software being used is sold commercially for website monetization. Although in some places this is considered legal, we at Quttera treat it to be malicious and condemn such practice. Other security vendors may flag your website as unsafe if such code is present. It can be challenging to regain visitors trust once this happens. Also, with the Internet of Things (IoT) on the rise, it can be expected that the IoT devices connected to the internet will be exploited for the cryptocurrency mining making this type of malicious activity even more dangerous.
Secure your website from bitcoin hacking and any other malware types with ThreatSign - choose a website security plan that fits your needs. If you’re not sure which plan to select, contact us and let us help you to choose the best cyber security protection for your business.