Malicious Cryptojacking Script Infects Over 200,000 Routers


InfoSec researchers recently discovered a massive cryptojacking campaign in the wild. A bad actor has been exploiting a vulnerability on MikroTik routers to hijack networks for cryptocurrency mining. While instances of the malware have been found in other countries, the attacks seem to be focused mainly on Brazil. As many as 200,000 routers in Brazil have been detected running the malicious cryptojacking script.

6a0133f264aa62970b022ad3a55a91200bTweet by MalwareHunterBR showing the proliferation of the malicious CoinHive script

Cryptojacking is the act of illegally installing cryptomining software onto someone’s computer or server without their consent. Mining cryptocurrency requires a significant amount of processing power and electrical consumption. Installing cryptojacking malware on a third party’s system results in their processing resources being used for mining cryptocurrency instead of one’s own. This can result in slower computer performance, potential damage to hardware, and higher electricity cost.

The vector used by the attacker was a previously patched vulnerability on MicroTik routers. To this end, routers that had not been updated with the patch were targeted. The vulnerability in question allows remote extraction of the router’s database containing its login credentials. Once the attacker gains access to a MicroTik router, a script is installed containing a cryptomining software known as CoinHive. The broad scope of the campaign is due to many businesses and Internet Service Providers(ISP) using MicroTik routers as part of their infrastructure.

coinhive script code error pageCoinHive script on custom error page. Source: trustwave

The cryptojacking attack affects both users and web servers connected to the network. If a user is connected to a system that uses an infected router, every web page they access will load the CoinHive script. The script also loads a custom error page containing the CoinHive application to web servers. This means the campaign does not only affect users connected through an infected router, but anyone that visits a website hosted in a compromised network.

These days cryptojacking has been growing popularity as a tool to gain illegal profit. It is more subtle than other malware and doesn’t show any explicit signs except for a decrease in a system’s speed and performance. It is not only used by hackers who inject malicious code into a system; websites also implement cryptomining software as an alternative to advertisement for generating revenue. The problem is a vast number of these websites do not disclose it to their users. We can expect to see more of these types of campaigns in the future.

Follow Reactionary Times on

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: