2017-11-27 - "TUNGSTEN ROUNDED" POPUP ON CHROME & FIREFOX PUSHES MONERO CPU MINER

ASSOCIATED FILES:

  • 2017-11-27-fake-font-update-for-chrome.pcap   (5,499,537 bytes)
  • 2017-11-27-fake-font-update-for-firefox.pcap   (2,795,626 bytes)
  • 2017-11-27-page-from-livingwithmyhome.com-with-injected-script-for-chrome.txt   (19,797 bytes)
  • 2017-11-27-scheduled-task-to-keep-monero-CPU-miner-persistent.txt   (3,790 bytes)
  • 2017-11-27-script-from-laccrochecoeur.shop-for-fake-font-update-for-Chrome.txt   (110,766 bytes)
  • ttf.js   (9,464 bytes)
  • ttf.zip   (5,154 bytes)
  • winhost.exe   (2,468,864 bytes)

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following partial URLs and domains:

 

IMAGES


Shown above:  Fake font update notification on page from compromised site when using Google Chrome.

 


Shown above:  When using Chrome, this notification sends a JavaScript (.js) file within a zip archive.

 


Shown above:  Fake font update notification on page from compromised site when using Firefox.

 


Shown above:  When using Firefox, this notification sends the JavaScript (.js) file directly.

 


Shown above:  Injected script in page from compromised website that generates the fake font update.

 


Shown above:  The contents of the .js file.

 


Shown above:  After executing the .js
file, this popup happens, so things look
legitimate.

 


Shown above:  Monero CPU miner made persistent after the infection through a scheduled task.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTPS URLs that show up in the Fiddler capture.

 


Shown above:  Monero CPU miner activity in the post-infection traffic over TCP port 5000.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

MALWARE

DOWNLOADED ZIP ARCHIVE (USING CHROME):

DOWNLOADED .JS FILE (USING FIREFOX) OR .JS FILE EXTRACTED FROM ZIP ARCHIVE (USING CHROME):

MONERO (XMR) CPU MINER:

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.