D-Link MEA Site Caught Running Cryptocurrency Mining Script

Security firm Seekurity reported that D-Link MEA site was caught running crypto currency mining script, Monero to be exact.

The security news story is that a facebook user (Ahmed Samir) reported on October 20th, 4:27 am, a non-usual behaviour on D-LINK MEA website (D-Link Middle East) where a visit to the website causes a super-high CPU utilization.

The website had a connection request to “https://sdarot-il.com/” by an injected iframe that would load a javascript file “hits.js”.

According Seekurity, Connections between the browser and “Sdarot-il.com” domain, are established via Websockets, receiving and sending miners responses.

Analysing the URL and files with VirusTotal, Only Avira, Sophos-AV and Malwarebytes marked them as Malware.

  • hits.js: https://www.virustotal.com/#/url/4064a0812ff8e59e485a50759409186033abebac9605e69afffe007568179122/detection
  • cryptonight-worker.js: https://www.virustotal.com/#/url/5093eb39425a148329cf71fee3d6364ace68304a9ef8fbc9c4416d11941061cf/detection 

D-Link MEA website caught running cryptocurrency mining script

 

D-Link MEA website caught running cryptocurrency mining script 2

Seekurity also published a proof of concept video about the incident:

Timeline of the incident (Seekurity)

Oct 25, 2017: A written Incident report PDF file sent to D-Link MEA website administration (waiting for response). 

Oct 25, 2017: Incident proof of concept video included. 

Oct 25, 2017: 5 Days given to the vendor to fix the problem before public disclosure

Oct 30, 2017: No response from the vendor but the vulnerable domain (dlinkmea.com) now is redirecting to D-Link USA website (us.dlink.com) and the mining script is now working anymore but there are still some uncleaned clues points to the injector website (Sdarot-il.com)

Oct 31, 2017 (02:50 CST): Incident Public disclosure!

Oct 31, 2017 (06:25 CST): Dlinkmea.com took down

Is there another website caught running cryptocurrency mining scripts?

Yes, we reported earlier a security news incident about CBS. The website contained JavaScript that secretly caused viewer’s web browsers to mine cryptocurrency over a weekend, till the incident was made public.

Did D-Link do it on purpose, or were they hacked?

It is early to point fingers at D-Link. There are websites running cryptocurrency mining scripts to generate revenue instead of visible ads; however, hackers are finding this a lucrative market as well: hacking a website, and instead of defacing it, adding a little script to make money!

Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

%d bloggers like this: