Crypto Mining Website Injection

Crypto Mining Website Injection

No Comments

We’ve seen a campaign that hacks Drupal, and other platforms injecting scripts that run crypto mining javascript on the front page. In one case, it created a block that linked it to all pages. The vector and point of entry are still undetermined but believed to be a bug in Drupal 7.

Mining code with javascript hosted on https://cdn.nablabee.com. Encoded to obfuscate the ‘loadMiner’ code, shown in the image below:

The hijacked mining computers are being recruited to mine for the group supportxmr.com. If you use the ‘address’ in ‘payment address’, you’ll find a list of websites running this code, actively contributing to the hackers project.

We recommend a Website Firewall and regular scanning for Malware. Sucuri’s service picked up this obfuscated code on a client website, alerting us to the infection.

*** Update: As part of this find, we notified 25 websites about the infection, and many have since removed it. One organization claimed that there was a complaint lodged against them with the BBB after I had sent a notification about a week prior. Businesses ranged from Public Libraries to a Portable Bathroom company.

 

Leave a Reply

Your email address will not be published. Required fields are marked *