Crypto miners: the rise of a malware empire - Coinhive

Crypto miners: the rise of a malware empire

To create cryptocurrency, one needs to use a process called “mining”. This means that you can loan your computer power to solve complex mathematical equations. But this mining process depends on two sources which come at a great cost — reliable energy and powerful hardware.

All hell broke loose as cryptocurrency prices skyrocketed over the course of 2017. One Bitcoin was worth $1,000 at the start of the previous year and was valued at around $18,000 by year’s end. This dramatic and sudden increase also caught the bad guys’ attention. And by bad guys, we are referring to malware authors in general, but not entirely, as you will see described later in this article.  So, what drives them to take so many chances, like risking their freedom for personal gains? Could an insatiable craving for money be a part of human nature? I guess only time can provide us the answer. The only fact that we can trust is that cybercrime is more threatening than ever.

This can easily be seen by looking at this particular generic rule, “PUA/CryptoMiner.Gen”. In January 2018 our Real-time protection blocked 1.893.300 files, in February 2018 the number had already risen exponentially to 6.233.300 files, and in March 2018 it already had climbed past the 10M mark, to an astounding number of 11.453.200 files. Some other mining families are also detected by Avira via other generic rules, signatures, or CRC detections.

Focusing on Coinhive – description and inner workings

As written above, a vast amount of money suddenly became available to grab from the cryptocurrency market. All that was needed for evil to take its part in this process was an idea. An idea that was unfortunately found in a legitimate and popular browser-cryptocurrency mining service called Coinhive. This is a JavaScript cryptocurrency miner with easy integration which can be embedded in websites by their administrators. The principle of the idea was as easy as pie – to abuse this JavaScript in malware methods.

Coinhive appeared in September 2017 and it mines for Monero (XMR). It was implemented as an alternative revenue-gathering method to ads for website administrators. Its workflow consists in running the script directly in the visitor’s browser and then starting to mine for cryptocurrency in the background by using its CPU power. But, hackers took this service and deployed it on vulnerable websites that they had exploited and thus started to anonymously and silently mine cryptocurrency every time the website was accessed. Of course, they never even discussed asking for permission by bringing this aspect to the attention of the victim. Power lies in numbers: More exploited websites equals more unique visitors, which in return equals more CPU power and the obvious result translates into more crypto-bucks.

From a hacker’s perspective, this fraudulent scheme implies a low use of resources and the possibility of unlocking a treasure filled with money, that’s why it will gain more and more popularity. But, what are the consequences for its victims? Well, here we can expect anything ranging from poorer performance of their device as determined by the CPU spike to even a shortening of the CPU life due to overheating. Some other results could be a lower duration of battery’s cycle.

Here you can see an example of a JavaScript miner in one of its simplest form:

Crypto miners: the rise of a malware empire - in-post / Coinhive

The first script source line will instruct the victim’s browser to download the .js file from the Coinhive website. The miner variable line will tell Coinhive which account is mining for the Monero cryptocurrency – our unique site key and the “miner.start” line triggers the mining immediately.

Of course, more advanced features can be used in such scripts, like threads and throttle:

Crypto miners: the rise of a malware empire - in-post

Throttle basically refers to a process responsible for regulating the rate at which application processing is conducted. Or to put it as simple as possible, it can be used to configure the CPU power used. A lower throttle combined with a higher threads number will produce the maximum effect, as they decide how much CPU power will be used in the client’s browser.

A few months ago, a victim of the cryptocurrency loving hackers was the reputable site blackberrymobile.com.

Unfortunately, because of the amazing amount of money that can be “earned” in a relatively short amount of time and with implied costs near zero, not only hackers decided to get a piece of the cake. The well-known torrent site “The Pirate Bay” is among those to have used the Coinhive code and neglected to tell visitors it was using their browsers to mine cryptocurrency. So, this wasn’t an action that could be attributed directly to hackers, but to this website’s administrator.

These kinds of attacks were, of course, set to work on all available platforms, like Windows, Linux, and MacOS. Coinhive was also implemented to work on mobile devices. Several apps that used this mining technology were found in Google Play Store and this stealth behavior was triggered right after installation.

Some malicious ads even popped up on YouTube after a threat actor managed to inject a coin miner script into them. Fortunately, YouTube found the issue and fixed it in a matter of hours.

How can you protect your device from such attacks?

  • Use an antivirus: Avira, as an example of a well-known security app, successfully detects and hence blocks such types of malware attacks.
  • Disable JavaScript entirely or just enable it when it’s absolutely necessary. A recommended option is to run a script blocker tool called NoScript that quickly enables or disables JavaScript.
  • With the help of a Windows internal program called “Task Manager” (or “Process Explorer”), you can monitor your CPU usage frequently to see if there are any suspicious spikes in its activity. If so, this could indicate background mining. An alternative app for Macs is “Activity Monitor.”
  • Use a browser extension such as “No coin” to block crypto mining. While it works for Chrome and Firefox, it does not support Microsoft Edge, Apple Safari, and Internet Explorer browsers.

Personal thoughts

Think twice before investing in such coins as the cryptocurrency market approaches its saturation. Bitcoin is the oldest and the most expensive cryptocurrency. Its ups and downs alter the state of all the other cryptocurrencies.

This post is also available in: GermanFrenchItalian

Virus Analyst