Security researchers recently analyzed various spam campaigns and discovered a new one related to Bitcoin cryptocurrency that is impacting a lot of websites. For the past months, Bitcoin gained a lot of attention and reached high price levels, followed by various fluctuations. The process of mining consists of verifying other Bitcoin transactions, which users are rewarded for, and is supposed to keep transactions safe and secure.

How the infection is spread

During this spam campaign, online criminals try to inject a malicious script into different WordPress, Joomla, and jBoss legitimate websites. They do this by hiding the unwanted script on the embed site with the main purpose to create a binary file. With the help of this binary file, hackers will misuse the PC’s CPU to access users’ computers to mine Bitcoin. Basically, when visitors access a website that hosts the malicious script, their PC’s CPU is used to mine Bitcoin currency for cyber attackers. It will also collect information from the Bitcoin wallet which has been installed on the compromised machine. Here is how the malicious script is injected with a reference to the following site (sanitized for your own protection) http: // online-game-18 [.] xyz /? c = 41-149-20180219062557833d27348 & pst = 2 & key = [uniktID] The package file provided to the potential victims looks like a game for adults named “The # 1 Adult Game – Free to Play” and containing an executable filename “setup_sex_game.exe” The binary package is digitally certified by Comodo with the following details: Status Valid Issuer COMODO RSA Code Signing CA Valid from 1:00 AM 2/15/2018 to 12:59 AM 2/16/2019 Valid Use Code Signing Algorithm sha256RSA Thumbprint 9FB7FD71BB7DA9C256E872CB56E3808E811990BB Serial number 66 CA 14 17 72 9E 0A BB D8 F9 80 08 A3 97 4B B4 The above domain is hosted on this server (sanitized for your own protection) 212.224.118 [.] 40. Security researchers discovered that it’s the same server linked with other Bitcoin mining domains, including the same offer of a free game. Here’s a list of malicious domains: action8 [.] xyz biggame1 [.] xyz updflash [.] xyz Best-game [.] xyz game18plus [.] xyz need action [.] xyz Win32 flash [.] xyz update-flash [.] xyz Update Flash Player [.] xyz Heimdal Security proactively blocked all infected sites, so all Heimdal™ Threat Prevention and Endpoint Security Suite users are protected. According to VirusTotal, only 16 antivirus engines out of 68 managed to detect the binary package file at the time we write this article.

How to protect yourself against malicious script injections

The main issue with the Bitcoin Mining malware is that it acts like a fileless malware and usually go undetected by traditional antivirus products. Injecting a malicious script, hackers can redirect users to a compromised site and steal users’ sensitive data. This is why we strongly recommend users to:

• Apply all the updates available for your apps (especially the most vulnerable ones: Flash and Java, browsers), software programs and system. Do NOT postpone and neglect to keep your system fully patched. Keeping OS up to date is the best thing users can do for their safety.
• Be very careful when clicking on suspicious links or websites and always check if the web page’s URL is genuine;
• Make sure you access sites that use a security certificate or HTTPS to avoid malware infection;
• Install a reliable antivirus program installed on your computer to protect your valuable data from online threats;
• Consider adding multiple layers of protection and use also  proactive cybersecurity software solution;
• Probably one of the best security measure everyone can use is to learn how to easily detect various online threats. We recommend reading these free educational resources to gain more knowledge in the cybersecurity industry.

*This article features cyber intelligence provided by CSIS Security Group researchers.