VERY IMPORTANT

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME (inline frame) – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate source and display it within the main web page – embedded in a PE binary (Portable Executable Binary, or .exe). We observed an anomaly when approximately 60 domains (all [.]top TLDs registered on April 7, 2016) started serving a coin mining malware – to mine BitMonero, a form of digital currency – on their main page under the mime-type of html/text. All of these domains were registered by the same entity and they were resolving to the same IP.