Trustwave Discovers Cryptojacking Malware On Make-A-Wish Foundation website

Cybersecurity Firm Trustwave has discovered a cryptojacking malware on Make-A-Wish foundation website. The Make-A-Wish Foundation is a non-profit group established in the United States that provides activities called “wishes” to children diagnosed with severe illnesses.

According to Trustwave researcher Simon Kenin’s report, hackers inserted a JavaScript (JS) miner CoinImp into the domain worldwish.org to mine cryptocurrency Monero (XMR). The report further described that there are many domains who have “.org” & “.gov” extensions and cryptojacking scripts are being injected into them on a daily basis.

Trustwave Discovers Cryptojacking Malware. Image Source: Trustwave

Simon Kenin said that

It was indeed the case that the website of the Make-A-Wish organization had been compromised. Embedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals’ pockets, making their “wish” to be rich, come “true”. It’s a shame when criminals target anyone but targeting a charity just before the holiday season? That’s low.

The report further elaborated that the domain drupalupdates.tk was utilized to inject the mining script. It is part of recognized operations which has been abusing Drupalgeddon 2 since May 2018. Many website owners never update their Drupal version which allows hackers to jeopardize their websites to mine cryptocurrency.

Trustwave Discovers Cryptojacking Malware Image Source: Trustwave

Drupalgeddon 2 is not the only techniques hackers apply to contaminate websites with Cryptojacking malware. The Cryptojacking is so extensively developed that it is sometimes difficult to determine whether a website is contaminated with malware or the mining code was genuinely added by the site owner. These days hackers are transitioning from ransomware to malware in the blockchain industry. CoinMiner or CoinMiner-FOZU uses victim’s computer to mine new coins by infecting user executables, injecting Coinhive JavaScript into HTML files, and blocking the domains of security products to stop signature updates.

This attack utilizes various methods to bypass unvarying detections: It begins with altering the domain name that receives the JavaScript miner, which is itself muddled. The WebSocket proxy also applies varying domains and IPs which cause blacklist solutions out-of-date.

The report further stated that Trustwave tried to contact Make-A-Wish to report the cryptojacking attack, but the foundation did not answer. However, the wicked injected script was ultimately removed. Malware is the most commonly employed vector by attackers. Thousands of websites worldwide have fallen victim to a cryptojacking malware that demands their visitors’ computers to mine cryptocurrency without them recognizing when browsing the site.

Mitigations

Trustwave Holdings is an information security company that provides threat, vulnerability and compliance management services. It has also published a few mitigations such as:

Adding a layer of protection against known miners
Audit all the website changes and make sure they were authorized.
Regularly patch websites and keep all the software up to date.

In a cryptojacking attack, cryptocurrency mining code is sent without approval on a framework or a system. Mining is the calculation process that is executed by taking a framework as a major aspect of a mining pool to make or find coins. Multiple cryptojacking assaults have been accounted for as of late, including a substantial attack against YouTube, and additionally, attacks against un-secured SSH and Oracle WebLogic servers, as hackers have intended to benefit from the rising estimation of cryptocurrency.

Just a few days ago, researchers from Fudan University, Tsinghua University and the University of California Riverside had published the first systematic study about cryptojacking in the real world called as “How You Get Shot in the Back”. This study had revealed growing sophistication in the malicious mining of Cryptocurrency. Cryptojacking is a type of cyber attack in which an attacker hijacks a target’s processing power to mine cryptocurrency on the attacker’s behalf.

In this study, researchers found 2,770 uncommon cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in the Alexa list. By using these samples they gained a more clear picture of the attacks, including their impact, distribution mechanisms, obfuscation, and attempts to avoid detection. They further found that a different set of companies benefit from this activity because of the unique wallet ids. Not only this, to stay under the radar, they also update their attack domains.

Not only this, in the month of June 2018, cybersecurity company McAfee had disclosed that Coin miner malware grew by 629% to more than 2.9 million known samples in Q1 2018 from almost 400,000 samples in Q4 2017.