Obfuscated Coinhive shortlink reveals larger mining operation | Advanced Mobile Spy Software
During the past several months, in-browser mining has continued to affect a large number of websites, predominantly relying on Coinhive's infamous API. We documented several campaigns on this blog, in particular Drupalgeddon, where attackers are taking advantage of vulnerabilities in popular Content Management Systems (CMS) to compromise websites and push payloads both client- and server-side. In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive's shortlink to perform silent drive-by mining. By pivoting on this indicator of compromise, we were able to identify a larger infrastructure receiving traffic from several thousand hacked sites acting as doorways to redirect traffic to a central server involved in the distribution of both web and standard malware coin miners. Figure 1: Mining operation fueled by compromised sites Obfuscated miner injection As part of our regular crawls, we look