Crypto Miner

Another Cryptominer Delivered Through Altered JQuery.js File

A few days ago, I published a diary on the SANS Internet Storm Center website about a Javascript file that was altered to deliver a cryptominer into the victim’s browser. Since my first finding, I’m hunting for more samples. The best way to identify them is to search for the following piece of code:

var foo = navigator['hardwareConcurrency'] || 0x4;

This is useful to detect the number of cores available. I already found plenty of samples that are most of the time standalone files.

Another interesting piece of code:

return /mobile|Android|webOS|iPhone|iPad|iPod|IEMobile|Opera Mini/i['test'](navigator['userAgent']);

This is used to not run the waste resources of mobile devices.

This morning, I found an altered jquery.js file. JQuery is a very popular JavaScript library that helps developers to “write less, do more” as stated on the website. The malicious file is a very old version of JQuery (1.7.1) but still popular. The wdiff command (or “word diff”) returns interesting info between the original file and the malicious one:

$ wdiff -s jquery.js jquery.js.malicious
...
jquery.js: 1244 words 1243 100% common 0 0% deleted 1 0% changed
jquery.js.malicious: 10457 words 1243 12% common 9212 88% inserted 2 0% changed

Note that the malicious file (SHA256: ec214629efdffce5031b105737a14778a275c7a178bf1330f700ea6254269276) has a very low score on VT: 2/60 and was submitted yesterday from the USA.

One comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.