Right?! I use those all the time, it sure would be handy to know which one is a verified bad actor. Some common sense does come into play here; have you ever come across a legitimate tab in Chrome...
Right?! I use those all the time, it sure would be handy to know which one is a verified bad actor.
Some common sense does come into play here; have you ever come across a legitimate tab in Chrome when viewing a site that tells you you need to update it by clicking the provided link? That's red flags all day, although I can definitely see how many people will fall for it (I'm also possibly misunderstanding the sequence of events, but that's what I took from the article at least).
I'm also a bit confused by how they intended to get the downloaded package running. The article states that the file was found in the download folder, but none of them had been run (with the implication that it needed to happen manually). Do they (the authors of the code) just expect people to be cruising through their download folders, see a file they were unfamiliar with, and double-click on it for s's and g's? I guess it could happen, and with something like this you do need to cast a very wide net after all...
From Group-IB's blog, it looks like the file just chills until the machine has been idle for 80 min. https://www.group-ib.com/blog/mxdr-cryptominer/ Also, this was found a while back, it seems,...
From Group-IB's blog, it looks like the file just chills until the machine has been idle for 80 min.
Also, this was found a while back, it seems, and there's just nothing by way of info or reporting except for the blog and OP's link. I'm still looking for the name of the site, but no luck yet.
Couldn't find a definitive answer, but my best guess is thesaurus.com; there are a couple screenshots on the Group-IB blog (linked in another comment) with the site blurred out, but the text above...
Couldn't find a definitive answer, but my best guess is thesaurus.com; there are a couple screenshots on the Group-IB blog (linked in another comment) with the site blurred out, but the text above and below it makes me think it's ~13 characters long, including the .com.
I'm leaning towards it being maybe synonyms or synonym. One of the screenshots doesn't have the blur fully cover the first letter. It leaves only one, maybe two pixels exposed, but it's enough to...
I'm leaning towards it being maybe synonyms or synonym. One of the screenshots doesn't have the blur fully cover the first letter. It leaves only one, maybe two pixels exposed, but it's enough to see the first letter has pixels near the middle and closer to the bottom. When I zoom in, it looks like an s.
This is assuming that screenshot features the thesaurus site's name and not wherever the malware originates. I might be totally misinterpreting that particular screenshot.
I saw that, and wasn't sure if it was just an artifact of the blurring or not. In another spot it looked like a .org address, so that threw me off too.
I saw that, and wasn't sure if it was just an artifact of the blurring or not. In another spot it looked like a .org address, so that threw me off too.
The blurring seems to be a solid block-shape covering the word, so I don't think it's an artifact. The end of the same line has the top tip of a slash (/) visible, too, though it's cut out of the...
The blurring seems to be a solid block-shape covering the word, so I don't think it's an artifact. The end of the same line has the top tip of a slash (/) visible, too, though it's cut out of the screenshot I took. Again, not sure if that text is the thesaurus website, or whatever is hosting the malware itself though. The string feels almost too short to be any of the sites I can find.
The fact you noticed one that might be .org adds to the confusion. Not sure how many thesaurus sites have a .org address, but the only one I can find large enough too end up on top 10 lists of online thesauruses is called Power Thesaurus. The url has the name as one word, and it seems too long to fit in the blurred space in screenshots.
Why would they censor the name of the site?
Right?! I use those all the time, it sure would be handy to know which one is a verified bad actor.
Some common sense does come into play here; have you ever come across a legitimate tab in Chrome when viewing a site that tells you you need to update it by clicking the provided link? That's red flags all day, although I can definitely see how many people will fall for it (I'm also possibly misunderstanding the sequence of events, but that's what I took from the article at least).
I'm also a bit confused by how they intended to get the downloaded package running. The article states that the file was found in the download folder, but none of them had been run (with the implication that it needed to happen manually). Do they (the authors of the code) just expect people to be cruising through their download folders, see a file they were unfamiliar with, and double-click on it for s's and g's? I guess it could happen, and with something like this you do need to cast a very wide net after all...
From Group-IB's blog, it looks like the file just chills until the machine has been idle for 80 min.
https://www.group-ib.com/blog/mxdr-cryptominer/
Also, this was found a while back, it seems, and there's just nothing by way of info or reporting except for the blog and OP's link. I'm still looking for the name of the site, but no luck yet.
Couldn't find a definitive answer, but my best guess is thesaurus.com; there are a couple screenshots on the Group-IB blog (linked in another comment) with the site blurred out, but the text above and below it makes me think it's ~13 characters long, including the .com.
I'm leaning towards it being maybe synonyms or synonym. One of the screenshots doesn't have the blur fully cover the first letter. It leaves only one, maybe two pixels exposed, but it's enough to see the first letter has pixels near the middle and closer to the bottom. When I zoom in, it looks like an s.
This is assuming that screenshot features the thesaurus site's name and not wherever the malware originates. I might be totally misinterpreting that particular screenshot.
I saw that, and wasn't sure if it was just an artifact of the blurring or not. In another spot it looked like a .org address, so that threw me off too.
The blurring seems to be a solid block-shape covering the word, so I don't think it's an artifact. The end of the same line has the top tip of a slash (/) visible, too, though it's cut out of the screenshot I took. Again, not sure if that text is the thesaurus website, or whatever is hosting the malware itself though. The string feels almost too short to be any of the sites I can find.
The fact you noticed one that might be .org adds to the confusion. Not sure how many thesaurus sites have a .org address, but the only one I can find large enough too end up on top 10 lists of online thesauruses is called Power Thesaurus. The url has the name as one word, and it seems too long to fit in the blurred space in screenshots.
That would be terrible because it is probably the most popular thesaurus. I use it all the time