Why legitimate websites move to the Dark Side with cryptomining
April 2018 by Check Point
Check Point researchers have recently discovered a site that although once legitimate has now moved closer to the Dark Side. Back in 2011, OSDSoft was a site offering its audience free video download software to thousands of users around the world. Registered under the name of Ivan Koslov, it also had Facebook, Twitter and YouTube accounts marketing the website’s main and only product.
In 2014 however, OSDSoft started to appear in a more suspicious context as several adware variants and Potentially Unwanted Programs (PUPs) downloaded from it were spotted in the wild. These adwares and PUPSs acted stealthily in order to evade regular anti-virus protections and performed environment checks to make sure they were not running on a virtual machine.
Towards the end of 2017, as the popularity of crypto currency miners grew, OSDSoft shifted some of its efforts toward mining the Monero crypto currency. Monero cryptominers are popular due to the increased anonymity they provide and the profitability of mining Monero on regular PCs.
After some analysis, the Check Point Research team estimates that around 6000 machines have so far been infected and are earning the perpetrator behind OSDSoft approximately $700 per day from this mining operation alone.
The miners are currently distributed by websites disguised as a legitimate Adobe Flash Player update service, telling the victim that their Flash version is outdated. Clicking anywhere on the screen would result in the malicious executable being downloaded. OSDSoft’s author does not want to waste any time in this campaign either, for while waiting for the Monerominer to download, the malignant websites additionally use the CoinHive cryptomining malware to mine through the browser and maximize his profits.
Furthermore, it is legitimate hosting and file storage services such as AWS (Amazon Web Services), Dropbox and Github, that are being used to store and distribute the malicious cryptomining samples. Victims are then directed to misleading malicious Flash Player domains via malvertising and referrals from shady websites.
OSDSoft, a website that started with seemingly innocent intentions serves as a case study in the need to be on constant alert. Although its author initially promoted video download software, the lure of high value crypto currencies lured him over to the dark side as the site became a cryptomining distribution platform.