SecBI Autonomous Investigation technology, recently detected a fileless malicious activity affecting one of its customers in the form of a new cyber-attack that represents the next step in the evolution of ransomware: Bitcoin mining through the web browser.
This attack was draining considerable resources from the organization’s IT resources for data mining purposes, causing computer slowdowns and multiple IT complaints about unknown behavior. It was not detected by existing solutions because all activity was contained within the browser.
SecBI detected this activity via the abnormal repetitive (beaconing) behavior from “infected” users with a unique pattern that is indicative of bitcoin mining, as well as multiple requests to YouTube channels that the company had never observed nor interacted with.
All detection was done on top layer 7 web proxy logs, using SecBI’s unique machine learning algorithms – a new approach for appliance-less network traffic analysis.
Campaign in detail
The attacks began with a phishing email that directed recipients to a seemingly innocent website offering a free AWS gift card in exchange for staying on the site until a countdown is over:
Meanwhile, the malware author earns extra money by running sponsored YouTube videos in the background. These videos promote dummy sites that offer users free money for online gaming.
Bitcoin mining also happens in the background.
By looking at the IP we noticed more sites like the one described, all following the same method: