Money for Nothing and Coins for Free

MalBot · October 5, 2017, 10:00am

Beginning in mid-September 2017, we started seeing a new abuse scheme on .ch and .li domains. The websites in question were running on outdated software and inevitably, hackers exploited some well-known vulnerability in order to inject malicious code. At this point we would usually expect an exploit kit in the website’s content with the purpose of infecting the victim’s machine with malware. In these cases however, the Javascript inject often looked somewhat like the following:

This code is designed to run in the background of the victim’s browser and immediately starts an endless loop of intensive computations at full pace, effectively turning the browser into a hash-crunching mule for the sake of distributed mining of cryptocoins, with profits going directly to the hacker.

Web-based Cryptocurrency Miners on the Rise

The cryptocurrency of choice for this type of abuse is Monero (XMR). As for Bitcoin, Monero is based on a blockchain to store all the transaction records. Monero has a strong focus on privacy. Transaction details in the Monero blockchain are hidden from public, making it an attractive currency for criminals. Generating new Monero currency units is performed by “mining”, a process which requires a lot of processing power. However unlike Bitcoin, Monero does not require custom hardware like ASIC miners to mine effectively. It is feasible to mine the currency on general purpose CPUs. It didn’t take long to see first implementations of Monero miners in Javascript. Coin-Hive leveraged this circumstance to create a mining pool based on web-based Javascript miners. Using this service, website owners can include a widget as depicted below to let their visitors mine Monero coins for them.

Mining via Coin-Hive is primarily meant to generate revenue from time spent on the website as an alternative to advertisements. With an estimated rate of 30 hashes per second for an average desktop computer, generating 1 USD worth of Monero requires approximately 20 days of exposure. Or to put it the other way around: you need roughly 2000 concurrent miners during one minute to generate the same revenue. Coin-Hive’s commission of 30% is already deducted from that amount.

To Block or not to Block, that is the Question

Of course, it is advisable to inform your visitors of the intent of their CPU usage, though already many Alexa top 1 million sites seem to be experimenting with this technology, often without letting their users know. Most people will not appreciate the fact that their CPU is hijacked, and their battery drained while visiting a website. And now that’s exactly what cybercriminals are also doing. They are sneaking an invisible version of the Javascript miner in hacked websites and are profiting off the CPU cycles of unaware visitors. The threat was already recognized, and mitigations are provided by simple blacklisting. For example uBlock Origin included Coin-Hive’s miner library into their blacklists. This is the reason why the library is not directly included from Coin-Hive in the example above, rather an obfuscated version is served from another source, hxxps://camillesanz[.]com/lib/status.js, which was most probably also compromised.

SWITCH’s DNS Firewall includes a list of domains that serve the miner Javascript. All these domains have been linked to abuse cases and are therefore treated as malicious content. We observed a considerate number of hits on such domains by users on our clients’ networks. However, we do not actively block communication to Coin-Hive, because of the legitimate usage of this service. We do expect to find more occurrences of cryptominers in the future, each of which must be handled meticulously to sort out abuse from legitimate cases. So watch out for overrunning CPU fans when surfing!