How a Web‑Ad Trojan Exploits IE to Deploy Crypto Mining

1 Introduction

Recently, Tencent Security Anti‑Virus Lab discovered a trojan that spreads via malicious web ads. The ads contain pornographic links that lure users to click, embedding a JavaScript script that exploits an Internet Explorer vulnerability (CVE‑2016‑0189) on unpatched browsers.

The trojan installs a backdoor, steals private data, and runs a cryptocurrency mining program for profit. The lab also found Linux trojans and many controlled server addresses on the author’s server, indicating potential for larger attacks.

2 Technical Analysis

2.1 Hijacking

The pornographic ad page embeds an obfuscated JavaScript script. After decryption it exploits CVE‑2016‑0189, a script‑engine vulnerability in IE9/10/11, which is widely used by attackers because it is stable and does not crash the browser.

2.2 Backdoor Trojan

The server hosts several executables (Server.exe, build.exe, dashu.exe) that are variants of the same backdoor. When executed, the trojan checks for an existing service, renames itself to a random filename, copies to C:\windows\system32, and starts as a service.

The backdoor can download and execute malicious files, launch IE to a malicious URL, and perform about 31 other commands received from the C&C server after decryption.

2.3 Mining Tool

The file

system.exe

on the server is a mining executable. It creates files under C:\sys, launches

nheqminer1.exe

with pool and wallet parameters, and modifies the registry to auto‑start on boot, turning infected machines into miners for Zcash.

2.4 Targeted Victims

The

ips.rar

archive contains IP addresses of servers running phpMyAdmin, mostly belonging to a cloud provider. Attackers likely aim to compromise these servers and deploy further malicious payloads.

3 Traceability

3.1 Impact Scope

Graphs show a sharp increase in detections and sample breadth after mid‑July, with Guangdong, Shandong, Jiangsu, and Henan provinces being the most affected regions.

3.2 Mining Addresses

Analysis of the mining process reveals pool and wallet addresses; about 500 machines have mined to this wallet within two days.

3.3 C&C Servers

Additional C&C server addresses were identified, and relationships between hijack servers, C&C servers, and samples were mapped.

4 Summary

The hijack‑and‑mine campaign surged after mid‑July, with increasing interception counts and sample breadth. The trojan continues to be active, frequently updating its mining payload.