A recent cybersecurity investigation conducted by Group-IB has uncovered a cryptojacking campaign targeting users of a popular Thesaurus website. The campaign involved infecting visitors with malware, which allowed threat actors to mine cryptocurrency and potentially deploy more harmful software.
Thesaurus, a well-known platform with approximately 5 million monthly visitors, has been utilized by students, authors, and many others looking to enhance their vocabulary and language abilities. However, it appears that even trusted websites can be vulnerable to cyber attacks.
Group-IB’s 24/7 monitoring detected malicious archives flagged by their MXDR (Multi-Extended Detection and Response) technology. These archives contained malware and were found across multiple customer companies. The files had unusual names such as “chromium-patch-nightly.00.[0-9]{3}.[0-9]{3}.zip,” which indicated a potential shared source and unconventional attack.
To analyze the archives, Group-IB used their Malware Detonation Platform, which creates a secure virtual environment for examination. It was discovered that the archives contained a dropper, which installed XMRig Coinminer. This coinminer is commonly used for Monero cryptocurrency mining due to its anonymity features.
Investigators used Group-IB’s EDR (Endpoint Detection and Response) module to determine the source of the archives. They found that the malicious files were downloaded to the Downloads folder on affected workstations. This is a common location for downloads, so specialists examined browser history using Group-IB’s built-in EDR feature. This allowed them to trace the source of the malware.
It was determined that the infection chain involved automatic downloads of the malicious archives when visiting the Thesaurus website. Interestingly, the attack seemed to avoid the antonyms section of the website. Despite finding evidence of dropper activity, no actual launches were detected.
Prompt action was taken by Group-IB to protect their customers. They notified affected organizations and provided context and prevention tips within the MXDR system’s incident comments section.
By confirming the threat through the Malware Detonation Platform, Group-IB was able to neutralize the archived files. Their EDR agent automatically blocked and quarantined the malicious files, and shared the file hashes with other customers to update their blocklists.
This campaign serves as a reminder that even popular and trusted websites can be compromised. Threat actors utilized well-known tactics such as drive-by downloads and social engineering through fake error pages. It is crucial for users to stay vigilant and implement security measures to protect themselves.
As a result of this investigation, Group-IB has provided several recommendations to help users protect themselves from similar attacks. Users are advised to keep their operating systems and software updated and only download software and updates from official sources. Monitoring workstation resource usage for signs of cryptominers and employing EDR solutions are also important steps to prevent attacks.
In conclusion, the discovery of a cryptojacking campaign on a popular Thesaurus website highlights the vulnerability of even trusted platforms. The investigation by Group-IB serves as a reminder to users to stay cautious and implement security measures to protect themselves from such attacks.