Researchers Reveal New Cryptojacking Technique Using GitHub RawGit CDN
Cryptojackers found a new deceitful way to mine cryptocurrencies via RawGit, a web app that acts as caching proxy for GitHub files. It’s the latest in a string of recent innovative and surreptitious cryptojacking incidents.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
Deceitful Cryptojacking Linked to Deleted GitHub Account
According to researchers with Sucuri, a website security service provider, cryptojackers have turned to a new cunning technique wherein they make use of RawGit — a content delivery network (CDN) for Github files. RawGit is not an official Github service, thought it’s popularly used to serve files from GitHub repositories to an externally-hosted CDN.
Now, Sucuri researchers have pointed that a cybercriminal using the GitHub moniker @jdobt uploaded a browser-based cryptocurrency mining script to GitHub and then cached the raw file using RawGit before deleting the original GitHub account in an attempt to disappear without a trace.
The Sucuri team’s resulting blog read:
“The URLs of the malicious files on the RawGit CDN suggest that they belong to the jdobt user on GitHub. That user doesn’t seem to exist on GitHub, however. It’s quite possible that the account was deleted after the files had been cached by the RawGit CDN, which permanently saves files so that it doesn’t rely on actual GitHub content.”
The researchers speculated that the reason “jdobt” used RawGit was that it came off as a less shifty source, hence allowing the attacker to bypass traditional anti-malware software defenses.
Scheme Ends in Vain, But Shows Increasing Ingenuity
The miner used Crypto-Loot, the mining software that even the file-sharing website Piratebay has used as of late for Monero mining after the peer-to-peer “pirates” shifted away from Coinhive last year.
However, Sucuri’s researchers emphasized that the malicious actor may not have pocketed any revenue as their script apparently flunked proper execution. RawGit’s response team has since promptly weeded out URL implanted with jdobt’s mining script.
“Since the RawGit URLs referencing these malicious files were able to survive after being removed from GitHub, some may consider these better than direct links to GitHub,” the Sucuri team noted. “Unfortunately for the bad actors, this wasn’t actually the case. RawGit’s response to abuse reports [was] very fast. The above-mentioned URLs had been purged within a few hours after my report and now return ‘403 Forbidden.'”
The incident marks just the latest in a series of recent cryptojacking sprees. Earlier this week, a Steam game was accused of hijacking computers to mine for crypto. Apple’s Macs were also found as being targeted back in May 2018.
As such, interest in malicious crypto mining has surged over the past couple of months. For now, “search and destroy” seems to be the main recourse for defense, though some browsers are now coming out with anti-cryptojacking functionalities.
Does the upswing in cryptojacking activity affect the reputation of cryptocurrencies in general? Share your views in the comments section.
Images via Pixabay