Yahoo ad malware spawned European Bitcoin mining network

Cash hungry cybercriminals may have established a European network of Bitcoin miners through Yahoo's ad network.
Written by Liam Tung, Contributing Writer

Yahoo may have squashed an attack on European users originating from its ad network, but not before cybercriminals were able to spread bitcoin mining malware to potentially millions affected by the attack.

A malware attack aimed at Yahoo's European users last week was also an attempt to build a network of Bitcoin miners, according to security company Light Cyber.

On 3 January, visitors to Yahoo.com began to be served up malicious ads from its ad network, redirecting victims to a site hosting the Magnitude exploit kit. The kit contains a number of exploits for outdated Java systems.

Like many exploit kits, it's been built to serve up a cocktail of threats, including banking trojans, downloaders and adware.

Fox-IT, which first highlighted the attack, noted that the vast majority of infections, which were occurring at a rate of 27,000 per hour, happened in Europe, primarily affecting Windows machines in the UK, France and Romania.

Yahoo initially issued a statement confirming that 3 January that it had served malicious ads on its European sites that didn’t meet its editorial guidelines. However, last Sunday issued a new statement, adjusting the start date of the attack to 31 December.

It reiterated that users in North America, Asia Pacific and Latin America weren't affected, Yahoo said. Nor were users of Apple Macs or mobile devices.

However, according to Light Cyber, the Yahoo ad malware campaign actually began on 29 December, and included Bitcoin miners amongst the mix of threats being distributed through the attack. Bitcoin-mining malware typically aims to free-ride off a victim's computing resources to generate Bitcoins for cybercriminals' use.

"The attackers put special efforts to mine the bitcoin efficiently and used an optimized 64-bit Bitcoin mining software when the infected PC supported that," Light Cyber founder Giora Engel told ZDNet.

In a private advisory to its clients, the company outlines a number of indictors of infections. 

According to it, communications with the folowing domains is a sign of definite infection:

  • skmymmeiaoooigke.org
  • bgdjstkwkbhagnp.org
  • ceigqweqwaywiqgu.org
  • smsfuzz.com 

The presense of the following system files is also a sign of positive infection:

  • %windows%\Installer\{4A74FBA7-71A0-BEA1-F538-72E3D519AA4F}\syshost.exe
  • %localappdata%\cygwin1.dll (See note 1)
  • %localappdata%\wuauclt.exe (See note 1)
  • %localappdata%\temp\????????.lnk (8 hex characters)
  • %localappdata%\temp\????????.exe (8 hex characters)
  • %localappdata%\temp\vedefuzunwi.exe
  • %programdata%\bbtmp0\jtkyygiu.exe
  • c:\temp\zcompute.exe

(1) filename is used by legitimate software but not in the listed path 

Expect to hear more about Magnitude in coming months. According to security researcher Kafeine, which monitors prominent exploit kits, Magnitude is shaping up to be a replacement to Blackhole, which had been the reigning exploit kit until its author was arrested late last year.

Yahoo did not respond to request for comment.

Editorial standards