Malicious cryptocurrency miner embedded in Journal website downloaded to PC by Zotero Extension
I was backing up my library when Windows Defender detected and prevented a trojan named brocoiner, which was contained inside a script within a downloaded html webpage file, from being copied from the zotero storage directory to the backup location.
Unfortunately it didn't detect the html containing the virus script when I initially downloaded it. It appears that, before I navigated to the page with the PDF download link, I clicked the connector and it instead downloaded the webpage (.html file containing the virus script).
It doesn't run autonomously as pointed out in adasmith's post below (whew!) but in any case, please take care when downloading via the browser connector just like one would through any other mechanism, even from legitimate journal websites.
[Edit: thanks for merging the double post, it double posted when I tried to edit a clarification into the OP]
Unfortunately it didn't detect the html containing the virus script when I initially downloaded it. It appears that, before I navigated to the page with the PDF download link, I clicked the connector and it instead downloaded the webpage (.html file containing the virus script).
It doesn't run autonomously as pointed out in adasmith's post below (whew!) but in any case, please take care when downloading via the browser connector just like one would through any other mechanism, even from legitimate journal websites.
[Edit: thanks for merging the double post, it double posted when I tried to edit a clarification into the OP]
javascript bitcoin miners only run when the page is open, so the issue is fairly minor from a Zotero user's perspective (though quite embarrassing for the journal, of course, and you should let them know).
Zotero downloads snapshots directly from the site. They could be scanned once they hit the disk, but that's about all I can say. Tools that work within the browser wouldn't have any effect, but I don't think that would matter here, since I don't think Windows Defender runs on non-Microsoft browsers anyway.
- Windows Defender with up-to-date definitions
- Chrome Version 62.0.3202.94 (Official Build) (64-bit)
- uBlock origin with standard settings
- Picked it up during a backup/export library function from the default Zotero data directory to a non-Admin user documents folder.
Screenshots with more details:
1. https://imgur.com/WJEpnUN - Windows Defender notification
2. https://imgur.com/9xgdQJD - Directory containing files
3. https://imgur.com/l1zWIvR - Microsoft threat page
^ https://imgur.com/a/pUUFI - Album
Microsoft threat page:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:HTML/Brocoiner!rfn