Sucuri Detects New GitHub ‘RawGit’ CDN Cryptojacking Mining Malware Web App
New Cryptojacking Technique is Threatening Users in the Crypto Space
Cryptojackers have found a new way to mine virtual currencies using computing power from other people. The new technique is applied using RawGit, a web that works as caching proxy for GitHub. Amid a bear market in the crypto world, Cryptojackers are ready to keep stealing computing power and mine cryptocurrencies.
New Cryptojacking Attacks
As the website security service provider Sucuri explains, cryptojackers have found a new way to mine virtual currencies using computing power of their victims. In order to do so, they use a content delivery network (CDN) for Github files, known as RawGit. It is important to mention that RawGit is not an official Github service but it is widely used in the cryptocurrency community.
Researchers at Sucuri explained that there is a cybercriminal that is using the GitHub name @jdobt to upload a browser-based cryptocurrency mining script to GitHub. After it, he cached the raw file using RawGit. Of course, the user eliminated his account trying to disappear without leaving a trace.
About this situation the Sucuri team wrote:
“The URLs of the malicious files on the RawGit CDN suggest that they belong to the jdobt user on GitHub. That user doesn’t seem to exist on GitHub, however. It’s quite possible that the account was deleted after the files had been created by the RawGit CDN, which permanently saves files so that it doesn’t rely on actual GitHub content.”
In general, RawGit is considered a less shifty source, allowing attackers to bypass the traditional anti-malware software defenses.
The crypto miner has been using Crypto-Loot as mining software. Indeed, some websites were shifting away from Coinhive to this other choice known as Crypto-Loot. Sucuri’s researchers explained that the attack may have not been effective because the script flunked proper execution.
“Since the RawGit URLs referencing these malicious files were able to survive after being removed from GitHub, some may consider these better than direct links to GitHub.”
“Unfortunately for the bad actors, this wasn’t actually the case. RawGit’s response to abuse reports [was] very fast. The above.mentioned URLs had been purged within a few hours after my report and now return ‘403 Forbidden.’”
This is not the first time that we are talking about cryptojacking attacks and different techniques used by hackers. As cryptocurrencies expand, there will be more of such attacks and the space must be prepared and have the required knowledge about that.
If you want to avoid some of the issues, it is possible to download some browsers with anti-cryptojacking functionalities.