Cryptojacking – Understanding and Detecting Attacks

2017 was a year full of hype for cryptocurrency. Not only did we see Bitcoin (BTC) prices skyrocket (from ~$900 to ~$20K!), but we also saw the emergence of new currencies such as Tron (TRX), LunaCoin (LUNA), and Pluton (PLU), which are just a few of many.  Hackers are taking note, and have increasingly incorporated crypto into their schemes, beyond just ransomware featuring payment in Bitcoin.

Another way hackers have taken advantage of the hype is through cryptocurrency mining, which is expanding into new territories and taking the form of malicious website injection, malware distribution via botnets and social media, trojanized applications, and even WiFi connection hijacking. All of these leverage processing and power cycles belonging to the user. Referred to as cryptojacking, the recent uptick in this activity can likely be attributed to the release of a popular JavaScript miner by Coinhive in September 2017, as well as the recent soaring values of cryptocurrency.

What is Cryptojacking?

Cryptojacking takes control of the corporate system associated with blockchain and uses it as a continuous source of computing power. With multiple entry points and hidden behind stealthy tactics, Cryptojacking can often be difficult to detect and prevent. With cryptojacking on pace to overtake ransomware, there are many systems in which you should understand where vulnerabilities exist and how to properly detect attacks.

Systems Vulnerable to Cyptojacking Attacks and Malware

Cryptojacking Via Your Browser

There are several cryptocurrency miners that leverage code injection into a website, including Coinhive, Crypto-Loot, CryptoNoter, and JSECoin. Note that these are not necessarily malicious tools, but can be used by cybercriminals to generate mining activity on unsuspecting websites. See below snippet from Coinhive code.

Source Code
Coinhive Miner JavaScript Code Snippet

LookingGlass researchers have identified over 7,000 Coinhive mining sites and several hundred hosting the other miners.

There are two primary concerns with browser-based cryptocurrency mining:

  1. Websites may incorporate miners without disclosing this to site visitors, which could be considered unethical.
  2. And more importantly, cyber criminals are injecting the mining code into unsuspecting websites, thereby taking advantage of both the website and the site’s visitors.

It’s Not Just in Your Browser

Oracle WebLogic application servers have been discovered hosting cryptojacking malware. These servers, which are often cloud-based, are designed to manage enterprise-level applications. The mining tools are injected using a web application vulnerability (disclosed in December 2017, CVE 2017-10271). In one reported incident, the cyber criminals employed the XMRig mining kit and garnered over $200K in Monero cryptocurrency.

Cryptojacking in Your Apps

Researchers discovered several Android apps in the Google Play store that were secretly mining cryptocurrency. These apps did not present themselves as miners, but rather something more innocuous, such as a wallpaper app. The mining activity can degrade the device’s performance, cause wear and tear, and reduce battery life.

Cryptojacking in Your Social Media

Facebook Messenger was found to be distributing Digmine miner malware via a video that appeared to have been sent by a Facebook friend. Digmine has the ability to infect the desktop version of Messenger and access user contact lists to spread further.

Cryptojacking in Public WiFi or During Your Coffee Break

Hijacking WiFi hotspots is a new cryptojacking trend. CoffeeMiner uses a man-in-the-middle (MITM) attack to hijack users connecting to WiFi hotspots and inject mining code into all HTML pages requested by those users. This was reported by a patron of a Starbucks in Buenos Aires who discovered it when examining the cause of a connection delay to the WiFi.

Cryptojacking via Campaign

The Zealot malware campaign targets the well-documented ApacheStruts vulnerability, CVE-2017-5638, as well as the ASP.NET vulnerability, CVE-2017-9822. The malware uses the ETERNALBLUE and ETERNALSYNERGY exploits to spread throughout infected systems and PowerShell to download and install the cryptocurrency mining tools. This campaign impacts both Windows and Linux operating systems.

And of Course, There’s a Botnet for That

Another vector is via a cryptocurrency mining botnet, PyCryptoMiner, that is written in Python, targets Linux operating systems, and rather uniquely refers to a Pastebin site for command and control instructions.

Our Findings: LookingGlass Testing and Analysis

LookingGlass researchers performed testing of browser-based cryptojacking websites and found that it is indeed a highly resource-intensive activity. When visiting one site with embedded mining code, CPU usage levels quickly elevated to over 500%, then dropped to normal levels once the browser window was closed as indicated in the below figures.

Coinhive Miner JavaScript Code Snippet


LookingGlass sampled the network traffic associated with a site mining using the Coinhive tool, and observed the various options that can be set, such as throttle rate and pool wallet ID number.

JavaScript Source Code
Network Traffic Associated with Coinhive Miner


Why You Should Care About Cryptojacking, or Help, My Laptop is on Fire!

On the surface, cryptojacking seems relatively benign. But in actuality, it costs victims processing and energy resources. Desktop users may experience a degradation in services. Mobile users may experience loss of battery life. For an individual, this may not have a significant impact, but for a production server in a data center environment, the costs could quickly stack up.

Serving up cryptojacking to your website visitors, unwittingly or not, is likely to drive away traffic and create negative customer opinion, neither of which are typically desired outcomes.

Perhaps more importantly is that with browser-based cryptojacking, unwanted code has been injected into an organization’s web server, which means that that server has been compromised and that is never a good thing. Where one attacker gets in, others can follow, perhaps with more nefarious motivations. In the words of the Google dev team, “if an attacker successfully injects any code at all, it’s pretty much game over: user session data is compromised and information that should be kept secret is exfiltrated to The Bad Guys.”

How to Avoid Being a Miner

The good news is that cryptojacking is not hard to identify. The distinctive code usually stands out, as displayed in the example above. For browser-based cryptojacking, there are browser extensions that can be installed to block mining activity. LookingGlass researchers tested some of these and found them to be effective, as shown in the below image.

The Walking Dead
Detection and Blocking of Coinhive Mining Activity

Blocking JavaScript from running automatically in browsers will also prevent mining activity, at least in the case of miners written in that language.

Currently only a few antivirus engines will detect and block browser-based cryptojacking activity or the Digmine miner.

Want more information like this? LookingGlass has a whole library full of intelligence reports like this. Learn more here.

Related Content