Security firm Seekurity reported that D-Link MEA site was caught running crypto currency mining script, Monero to be exact.
The security news story is that a facebook user (Ahmed Samir) reported on October 20th, 4:27 am, a non-usual behaviour on D-LINK MEA website (D-Link Middle East) where a visit to the website causes a super-high CPU utilization.
According Seekurity, Connections between the browser and “Sdarot-il.com” domain, are established via Websockets, receiving and sending miners responses.
Analysing the URL and files with VirusTotal, Only Avira, Sophos-AV and Malwarebytes marked them as Malware.
- hits.js: https://www.virustotal.com/#/url/4064a0812ff8e59e485a50759409186033abebac9605e69afffe007568179122/detection
- cryptonight-worker.js: https://www.virustotal.com/#/url/5093eb39425a148329cf71fee3d6364ace68304a9ef8fbc9c4416d11941061cf/detection
Seekurity also published a proof of concept video about the incident:
Timeline of the incident (Seekurity)
Oct 25, 2017: A written Incident report PDF file sent to D-Link MEA website administration (waiting for response).
Oct 25, 2017: Incident proof of concept video included.
Oct 25, 2017: 5 Days given to the vendor to fix the problem before public disclosure
Oct 30, 2017: No response from the vendor but the vulnerable domain (dlinkmea.com) now is redirecting to D-Link USA website (us.dlink.com) and the mining script is now working anymore but there are still some uncleaned clues points to the injector website (Sdarot-il.com)
Oct 31, 2017 (02:50 CST): Incident Public disclosure!
Oct 31, 2017 (06:25 CST): Dlinkmea.com took down
Is there another website caught running cryptocurrency mining scripts?
Did D-Link do it on purpose, or were they hacked?
It is early to point fingers at D-Link. There are websites running cryptocurrency mining scripts to generate revenue instead of visible ads; however, hackers are finding this a lucrative market as well: hacking a website, and instead of defacing it, adding a little script to make money!