Updated on September 9, 2020 at 12:22 am
I was reading this article on Ars about ad networks using malware techniques to mine cryptocurrency and realized, holy crap I had noticed something similar in my OpenDNS Umbrella logs.
To take a quick step back, OpenDNS Umbrella is a DNS monitoring service for among other things blocking DNS calls out to malicious domains.
To summarize the article, it speaks to how a growing number of websites are turning to cryptocurrency mining via your web browser to compensate for the wide spread use of ad-blockers.
In this particular scenario the article discusses the use of domain-name algorithms for creating a nearly limitless number of domain names. This is a technique first introduced by botnets. And now websites are using it to attempt to bypass ad-blockers.
For example, something like:
Back to what I was noticing in my own logs.
These particular domains were getting blocked by OpenDNS:
One of the things you can do if you don’t want to fire up your own web proxy server like Burpsuite in order to inspect all the traffic is to use a site like urlscan.io to do the work for you. That way you don’t have to fire up a proxy server or browse to a potentially malicious site yourself.
Once you put kvcctz.wltoyqyynkbcc.com into urlscan.io, you’ll notice that various sites seemed to be associated with this domain. In particular, www.dailystar.co.uk appears to be associated in some manner.
Now if you do an nslookup of kvcctz.wltoyqyynkbcc.com you’ll get back this information:
kvcctz.wltoyqyynkbcc.com canonical name = d1xv26op0mrpvc.cloudfront.net.
While the domains aren’t exactly the same as the information returned as part of the dns lookup for kvcctz.wltoyqyynkbcc.com, the information returned by urlscan.io is strikingly similar.
While it could be a complete coincidence in regards to these seemingly randomly generated domain names, it could also be a rather disturbing trend by websites to use botnet techniques in an attempt to fight ad-blockers or to mine cryptocurrency with or without the users knowledge.
The funny thing that the article noted was that after all the obfuscation attempts, a call to coinhive was eventually made.
Coinhive has been a endpoint for much of the cryptocurrency mining attempts at various websites so if you haven’t, it would be a good idea to simply block it.