InfoSec researchers recently discovered a massive cryptojacking campaign in the wild. A bad actor has been exploiting a vulnerability on MikroTik routers to hijack networks for cryptocurrency mining. While instances of the malware have been found in other countries, the attacks seem to be focused mainly on Brazil. As many as 200,000 routers in Brazil have been detected running the malicious cryptojacking script.
Tweet by MalwareHunterBR showing the proliferation of the malicious CoinHive script
Cryptojacking is the act of illegally installing cryptomining software onto someone's computer or server without their consent. Mining cryptocurrency requires a significant amount of processing power and electrical consumption. Installing cryptojacking malware on a third party's system results in their processing resources being used for mining cryptocurrency instead of one's own. This can result in slower computer performance, potential damage to hardware, and higher electricity cost.
The vector used by the attacker was a previously patched vulnerability on MicroTik routers. To this end, routers that had not been updated with the patch were targeted. The vulnerability in question allows remote extraction of the router’s database containing its login credentials. Once the attacker gains access to a MicroTik router, a script is installed containing a cryptomining software known as CoinHive. The broad scope of the campaign is due to many businesses and Internet Service Providers(ISP) using MicroTik routers as part of their infrastructure.
CoinHive script on custom error page. Source: trustwave
The cryptojacking attack affects both users and web servers connected to the network. If a user is connected to a system that uses an infected router, every web page they access will load the CoinHive script. The script also loads a custom error page containing the CoinHive application to web servers. This means the campaign does not only affect users connected through an infected router, but anyone that visits a website hosted in a compromised network.
These days cryptojacking has been growing popularity as a tool to gain illegal profit. It is more subtle than other malware and doesn’t show any explicit signs except for a decrease in a system's speed and performance. It is not only used by hackers who inject malicious code into a system; websites also implement cryptomining software as an alternative to advertisement for generating revenue. The problem is a vast number of these websites do not disclose it to their users. We can expect to see more of these types of campaigns in the future.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.