This is a drive-by crypto download threat where malicious links are forwarded to victims as part of phishing emails or suspicious SMS messages.
Upon opening the link on the device we are greeted by a warning message:
Regardless of what we send in the captcha, mining activity is triggered in the background.
Below image shows the increased CPU activity (reaching 100% utilization) once the malicious link is visited:
Below are few code snippets from the script that is loaded once the page loads:
Following are few websites that show this behavior:
- rcylpd.com
- recycloped.com
- rcyclmnrhgntry.com
- rcyclmnrprd.com
- rcyclmnrepv.com
Sonicwall Capture Labs provides protection against this threat with the following signatures:
- GAV: AndroidOS.Coinhive.MNR (Trojan)
|
