Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code.
Encrypted CoinHive Miner in Header.php
The following encrypted malware was found in the header.php file of the active WordPress theme:
There are four lines of code in total. Each, when decoded, plays a different role.
When decoded, the last two lines inject typical CoinHive cryptocurrency miners:
The miner is only shown conditionally, so bots are excluded and only human visitors will receive it.