Understanding Cryptojacking
Cryptojacking incidents utilize the resources of infected devices through malicious JavaScript for mining specific cryptocurrencies. Attackers execute these attacks by embedding scripts onto popular websites, leading unsuspecting visitors to download the JavaScript and unintentionally allocate their system’s resources for mining cryptocurrency that benefits the attackers. This resource-heavy mining process generally uses over 70% CPU, causing a decline in system performance, heightened energy consumption, and potentially irreversible damage.
As cryptojacking allows attackers to generate cryptocurrency without investing in mining hardware, it proves to be extremely lucrative. By July 2018, the overall market capitalization for cryptocurrency had surpassed $270 billion, with more than 1700 projects active. The potential profits for attackers exploiting these projects have made cryptomining an increasingly prominent threat, often overshadowing recent ransomware tactics.
Cryptojacking has also gained traction since it is a less risky endeavor for cybercriminals compared to ransomware, which demands interaction with victims for payment. Moreover, its browser-based nature facilitates the infection of targets more easily than traditional server hacks. As the requirements for resource-intensive cryptomining evolve, the lure for attackers to seize resources has become even stronger.
Cryptojacking and Monero
Monero (XMR), a newer cryptocurrency, is increasingly targeted by cryptojacking attackers due to its mining algorithm (CryptoNight), which is designed for easy integration and offers privacy features that appeal to hackers. Monero’s proof-of-work algorithm can operate using standard desktop or server CPUs, as opposed to the specialized ASIC or GPU setups necessary for traditional mining methods. This characteristic is crucial for newer cryptocurrencies to maintain decentralization and prevent a few users with access to specialized equipment from gaining control over mining. For attackers, this means they can profit significantly from using ordinary CPUs while enjoying added privacy.
WebAssembly (WASM), a technology widely used in browser-based crypto mining, provides a binary executable format for the web, which enhances JavaScript performance in browsers.
Fig. 1 Market capitalization of CryptoNight-based cryptocurrencies, June 2018. Source: https://coinmarketcap.com
Prevalence of Infections
The security research site Bad Packet Reports recently published an article highlighting over 100,000 websites currently infected with cryptojacking malware. The majority of these instances appear to involve exploits for Drupalgeddon 2. This exploit capitalizes on the vulnerability CVE-2018-7600, despite the existence of a patch that has been available for several months. [Reminder: Regular patching is crucial!] Reports indicate that malware campaigns are utilizing this recently publicized exploit to compromise systems and insert mining scripts. When users access these infected sites, their systems unwittingly assist in solving cryptographic puzzles for the attackers.
To safeguard users against unauthorized resource utilization due to rogue coin mining scripts on their devices, it is advised to block access to the following prominent mining services:
- coinhive[.]com
- load[.]jsecoin[.]com
- crypto-loot[.]com
- coin-have[.]com
- ppoi[.]org
- cryptoloot[.]pro
- papoto[.]com
- coinlab[.]biz
Introducing Qualys BrowserCheck CoinBlocker Extension for Google Chrome
Drawing upon thorough research conducted by Qualys Malware Research Labs, we are pleased to unveil Qualys BrowserCheck CoinBlocker, a Google Chrome extension aimed at shielding users from browser-based mining attacks.
Here are several screenshots showcasing Qualys BrowserCheck CoinBlocker in action:
Fig. 2 Qualys BrowserCheck CoinBlocker
Fig. 3 Logs of detections from Qualys BrowserCheck CoinBlocker
The Qualys BrowserCheck CoinBlocker extension not only utilizes a domain blacklist but also employs heuristics to identify cryptomining algorithms such as CryptoNight (the algorithm for mining Monero) and its various manifestations.
Identifying Traditional Cryptomining Threats
Moreover, cryptomining extends beyond just browser scripts. Certain attackers infect devices with persistent malware that operates outside of browsers to conduct cryptomining. Security professionals can leverage Qualys Indication of Compromise (IOC) solution to obtain rapid insights into coin mining and additional malware across their organization. The Qualys IOC includes behavior-oriented detection for the following coin mining threats:
- CryptoMinerA
- CryptoMinerB
- CryptoMinerC
- CryptoMinerD
- CryptoMinerE
- Neksminer
As the adaptation and adoption of digital currencies and blockchain technologies broaden, cryptomining continues to represent an escalating online threat. Attackers are using various methods to exploit the systems of unsuspecting users for malicious ends. We recommend that our users routinely scan their systems for vulnerabilities using tools like Qualys BrowserCheck. Maintain robust defenses against cryptomining threats with the Qualys BrowserCheck CoinBlocker extension for Chrome.
