The attack is particularly clever in that the cryptocurrency mining is done directly within the web browser when the victim browses to certain booby-trapped websites.
The attackers are mining for three types of alternative cryptocurrencies — Monero, Litecoin and Feathercoin — that were inspired by the more popular Bitcoin.
Using malvertising to mine for cryptocurrencies can be incredibly profitable for cyberattackers. For example, a single Monero currently trades for $96 while Litecoin prices on public exchanges are listed at $53.
“In this particular case, we are not sure if the injection of the script was intended or if listat[.]biz was compromised. However, listat[.]biz is really suspicious as it seems to mimic LiveInternet counter (LI stat), which is a legitimate web counter. Moreover, many suspicious domains have been registered with the same email address, including lmodr[.]biz, which is also present in the malvertising chain,” according to ESET researcher Matthieu Faou.
Thoughtful in execution, the malicious rigged websites were all serving video streaming content or were in-browser gaming sites. This allowed the attackers to stay under-the-radar because computer users tend to spend more time on these types of websites. In addition, because video and gaming sites are expected to have a higher CPU loads, the power consumption of the cryptocurrency mining scripts would be difficult to detect.
Screenshot shows CPU usage while the cryptocurrency mining happens within the browser. Image source: ESET
The user never suspects malicious activity because the maliciously rigged sites are serving video and gaming content.
Pirate Bay has also been found to be guilty of rigging their own site for cryptocurrency mining in recent weeks. To the astonishment of their users Pirate Bay has been caught running a cryptocurrency miner — for Monero — on select pages.
The malvertising attacks affect web surfers mostly in Russia and Ukraine but it’s only a matter of time before it spreads globally and puts pressure on ad serving companies and publishers to get ahead of this threat to protect end users.
The Break Down
The first three hops just inject the script provided by the next hop: The first domain used in the redirection (skyadsvideo1[.]ru in our example) is not always the same. We also have seen code.moviead55[.]ru. Both have resolved to the same IP addresses, 126.96.36.199 and 188.8.131.52. According to Whois data for the domain skyad[.]video, whose subdomain code.skyad[.]video also resolved to the same two IP adresses, the domains seem to be related to the SkyAdVideo ad network owner.
As the payoff for this attack is high, the attack will probably continue – beyond Russian and Ukrainian sites – to U.S. and Europe.
The emergence of this new malvertising threat underscores the need for specialized ad security and verification tools to detect and remove malicious scripts from ads served on the web.
GeoEdge has a specific alert for cypto-mining malvertisements and will automatically spot suspicious activity before they damage your brand’s reputation and turn away users. Ask GeoEdge how we can help keep your sites, apps and users safe.