Qualys Malware Research Labs announced the release of the Qualys BrowserCheck CoinBlocker Chrome extension to detect and block browser-based cryptocurrency mining. Cryptojacking.
Cryptojacking
Cryptojacking attacks leverage the resources of the victim’s system through malicious JavaScript to mine specific cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Every visitor to these sites downloads JavaScript and unknowingly provides system resources to mine cryptocurrency, which adds to the attacker’s wallet. The resource-intensive mining process is performed on the victim’s system and typically consumes more than 70% of the CPU, which can slow down system performance, increase power consumption, and cause permanent damage to the system.
Cryptojacking is very profitable because it helps attackers obtain cryptocurrency without spending a single penny on mining infrastructure. The overall cryptocurrency market cap has reached over $270 billion as of July 2018 with over 1,700 active projects! Attackers who leverage these projects can make a lot of money, and cryptocurrency mining is gradually moving to center stage in the threat landscape, making it a much more attractive option compared to the recently favored ransomware campaigns.
Cryptojacking has also recently become mainstream. Because it is safer from cybercriminals and webmasters than ransomware. Ransomware requires interaction with the victim to receive payment. And because cryptojacking is browser-based, it is easier to infect victims than to hack a server. Over time, as cryptocurrency mining becomes more resource-intensive in terms of computing power and power consumption, stealing these resources becomes increasingly attractive to attackers.
Cryptojacking and Monero
Monero (XMR), a relatively new cryptocurrency, is becoming a common target for cryptojackers because its mining algorithm (CryptoNight) is designed to be easily integrated, and its privacy and anonymity features also benefit hackers. Monero’s proof-of-work mining algorithm can be used with desktop or server-grade CPUs rather than the custom, specialized ASIC or GPU hardware required by traditional coin mining algorithms. This is an important aspect of the next generation of cryptocurrencies as it attempts to decentralize them and prevent mining monopolies from being created by a small number of users with access to specialized hardware. From an attacker’s perspective, the potential to gain significant profits from a privacy-enhanced desktop-class CPU makes it a lucrative option.
A popular technology used in most browser-based cryptocurrency mining algorithms is WASM (short for WebAssembly). It is a binary executable format for the web that makes JavaScript execution within the browser very efficient.
Figure 1. CryptoNight-based cryptocurrency market capitalization, June 2018. Source: https://coinmarketcap.com
infection
Security research blog Bad Packet Reports recently published an article stating that there are over 100,000 sites currently infected with cryptojacking malware. Many of these sites appear to have been compromised using exploits for Drupalgeddon 2. This attack exploits the CVE-2018-7600 vulnerability even after the patch has already been available for several months. (Note: Always apply patches regularly!) There are reports of malware campaigns leveraging exploits for this recently announced vulnerability to compromise victims and inject coin mining scripts. When a user visits a compromised site, the system unknowingly contributes to solving a cryptographic puzzle that benefits the attacker.
To protect your users from draining your computer’s resources through unauthorized coin mining scripts running on your computer, you should block access to the following popular coin mining services:
- Coinhive(.)com
- load(.)jsecoin(.)com
- crypto-loot(.)com
- coin-have(.)com
- ppoi(.)org
- Cryptocurrency(.)Pro
- chat(.)com
- CoinLab(.)us
Qualys BrowserCheck CoinBlocker Extension for Google Chrome
Based on extensive research by Qualys Malware Research Labs, we announce Qualys BrowserCheck CoinBlocker, a new Google Chrome browser extension to protect users from browser-based coin mining attacks.
Here are some screenshots of Qualys BrowserCheck CoinBlocker in action.
Figure 2 Qualys BrowserCheck CoinBlocker
Figure 3 Qualys BrowserCheck CoinBlocker detection log
Qualys BrowserCheck CoinBlocker Extension not only relies on domain blacklists, but also uses heuristics to identify underlying crypto mining algorithms such as CryptoNight (used to mine Monero) and various artifacts.
Detecting traditional cryptocurrency mining threats
Cryptocurrency mining is also not limited to browser-based scripts, as we have seen certain attackers infect systems with persistent malware that runs outside of the browser to perform cryptocurrency mining. To detect such malware, security professionals can use the Qualys Indication of Compromise (IOC) solution to gain two-second visibility into coin mining and other malware across their organization. Qualys IOC includes behavioral-based malware suite detection for the following coin mining threats:
- CryptoMinerA
- Cryptominer B
- CryptoMinerC
- Cryptominer D
- CryptoMinerE
- Nexminer
Cryptocurrency mining has emerged as an online threat that is expected to grow as digital currencies and blockchain technology gain widespread acceptance. Attackers are using a variety of techniques to use unsuspecting users’ systems for malicious purposes. We recommend that you regularly scan your system for vulnerabilities using a tool such as Qualys BrowserCheck. Protect yourself online from cryptocurrency mining attacks with the Qualys BrowserCheck CoinBlocker Chrome extension.