Indian government websites infected with Monero mining malware

Subdomains of the most visited sites in India secretly mine cryptocurrency

Indian websites mine cryptocurrency using visitors' PC resourcesMonero mining malware CoinHive running on 120 websites in India makes $200K every month.

According to IndiaTimes report,[1] municipal administration of Andhra Pradesh, Tirupati Municipal Corporation and Macherla municipality and hundreds of other government websites were used to mine Monero cryptocurrency.

The way cryptojacking[2] works is relatively simple: bad actors send out thousands of emails containing a malicious crypto mining code or inject the website with JavScript which mines digital currency whenever a visitor enters the site.

Hackers used the latter to inject the malicious JavaScript into government websites due to high visit rate, as security researcher Indrajeet Bhuyan noted in his statement:

Hackers target government websites for mining cryptocurrency because those websites get high traffic and mostly people trust them. Earlier, we saw a lot of government websites getting defaced (hacked). Now, injecting cryptojackers is more fashionable as the hacker can make money.

Along with Bhuyan, another two Guwahati-based security experts, Shkil Ahmed and Anish Sarma, discovered that the subdomains that hosted crypto mining script belonged to ap.gov.in. The official website is one of the most visited in the country and receives over 160k users monthly.

Since the discovery of crypto mining malware, the ap.gov.in was up and running, while, at the time of the writing, the website is down and is not responding. There is no specific information about the amount of cryptocurrency already mined, but apparently, the code is built to mine anonymous currency Monero.

Cryptomining websites running the malicious CoinHive script

Unsurprisingly, not only governmental websites are affected what turned out to the notorious CoinHive[3] script. Upon research conducted by Guwahati-based security researchers, it was discovered that another 119 sites ran by enterprises were affected too. Furthermore, experts detected over 4,000 websites hosted by goidirectory.nic.in secretly mining crypto. Most of those were shut down before researchers even managed to reach them out.

The crypto-jacking scheme is based on running a piece of code on certain websites which later on uses the power of the visitors' computer to mine wanted cryptocurrency. The more time the visitor spends on the site, the more profit culprits receive, and the higher CPU usage of the victim is. Users, however, might not notice this process or simply not understand why their computer is increasing its workload and, simply will keep providing crooks with the cryptocurrency.

Cryptojacking[2] has been on the rise in recent years as it seems to be more profitable for hackers. It simply provides more profit with the minimum amount of effort. While some ransomware viruses might bring in millions, others are barely known, and there is a low chance victim will pay the ransom in the first place. For example, the infamous XiaoBa virus changed its business model to coinmining[4] rather than traditional ransom-demanding technique.

CoinHive is already known as very dangerous malware that runs all over the world. Recently, it was discovered[5] that CoinHive gained more than $250 000 per month in Monero.

Defending against crypto mining malware

Crypto-jackers and ransomware[6] go hand in hand these days. Both targeting businesses and gaining large amounts of money form their campaigns – it does not seem that any of the business models of money extortion will stop any time soon. When it comes to these social engineering schemes, there is a way to prevent malware attacks from being successful.

Regular software updates and patching system vulnerabilities is a must not only for high profile organizations but also for every regular user. Patches are continually being released, and there is no need to postpone the installation. Additionally, running of reputable anti-malware software is a necessity, as it can prevent many infections from entering the targeted device.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare