FirstRecently, reports on Mining from ESET, Sucuri and Malwarebytes were released. Drive-by Download is not as strong as before, but Drive-by Mining is trying to rise. Drive-by Mining has two pattern, tampering general websites and Malvertising. Similar traffic was also observed in my traffic observation environment. I noticed that there are several campaigns, and one of them is very interesting. About it, I show a simple report.
Traffic AnalysisEntrance is a general website. This website was loading advertisements. It causes Malvertising. In this website, this code was loaded.
About "code[.]moviead55[.]ru", you can refer to the ESET report.
"Cryptocurrency web mining: In union there is profit"
But, it generated traffic that was slightly different from the report.
The read code is simple obfuscated. When it is decoded, after some processing, an iframe is generated.
This iframe loads html. That html contained such a code.
This is the wasm that is being loaded.
convert.js was similar to the code published on GitHub. It was a very similar code.
Finally, this is traffic chain.
While accessing, my CPU was high load.