Cyber Crime

Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation

Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.

Security researchers at MalwareLabs have uncovered a new crypto mining campaign that leverages an alternative scheme to mine cryptocurrencies, differently from other campaigns, crooks don’t inject the CoinHive JavaScript miner directly in compromised websites.

CoinHive also provides an “URL shortener” service that allows users to create a short link for any URL with, the unique difference with similar services is that it introduces a delay so that it can mine Monero cryptocurrency for an interval of time before redirecting the user to the original URL.

The redirection time is adjustable via Coinhive’s settings, this means that the attackers can force visitors’ web browsers to mine cryptocurrency for a longer period.

The experts at Malwarebytes discovered a large number of legitimate websites have been hacked by crooks to load short URLs generated using the CoinHive service through a hidden HTML iFrame. With this trick, attackers aim at forcing visitors’ browsers into mining cryptocurrencies.

“We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.” reads the analysis published by Malwarebytes.

"<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>"

“The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.”

This mining scheme is a novelty in the threat landscape because it doesn’t leverage on the injection of CoinHive’s JavaScript in the compromised websites.

Malwarebytes experts linked this last campaign to the one monitored by Sucuri researchers in May.

The attackers add an obfuscated javascript code into the compromised websites, this code is used to dynamically injects an invisible iframe (1×1 pixel) into the webpage as soon as it is loaded on the web browser.

The webpage then automatically starts mining until the Coinhive short-link service redirects the user to the original URL.

“In Figure 3 where we made the iframe visible by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page.” continues the analysis from Malwarebytes.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.”

Experts also discovered that cybercriminals are injecting hyperlinks to other compromised websites to trick victims into downloading cryptocurrency miners for desktops that are disguised as legitimate software.

“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” continues the researchers.

“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”

Further technical details about the campaign, including the IoCs, are reported in the blog post.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Coinhive,  crypto currency mining)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

4 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

10 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

22 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.