Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • TRADING
  • SUBMIT
Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • TRADING
  • SUBMIT
Crypto Flexs
Home»HACKING NEWS»A new horizon for cryptojacking | Qualys Security Blog
HACKING NEWS

A new horizon for cryptojacking | Qualys Security Blog

By Crypto FlexsNovember 24, 20234 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
A new horizon for cryptojacking |  Qualys Security Blog
Share
Facebook Twitter LinkedIn Pinterest Email
Tejas Girme and Rishikesh Bhide of Qualys Malware Research Labs presented “New Frontiers in Cryptojacking” at the 21st Anti-Virus Asia Researchers International Conference (AVAR) 2018 in Goa, India.

Cryptojacking attacks are evolving over time to better evade detection by both end users and protection technologies. Therefore, it is important for security teams to understand how these attacks work to best protect system resources. In a recent talk at AVAR 2018, Qualys Malware Research Labs presented an analysis of the different evasion techniques attackers use to deliver cryptojacking code to web browsers and how existing protection technologies counter them.

Cryptojacking Information

Cryptojacking attacks leverage the resources of the victim’s system through malicious JavaScript to mine specific cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Every visitor to these sites downloads JavaScript and unknowingly provides system resources to mine cryptocurrency, which adds to the attacker’s wallet.

Early cryptojacking attacks

CoinHive was the first browser-based CryptoMining service provider. They enabled browser-based mining on websites by inserting just a few lines of code. Attackers seized this opportunity and cryptojacking attacks became widespread.

Figure 1: JavaScript code that initiates cryptojacking within a website.

The attackers compromised the vulnerable website and inserted cryptojacking code inside the web page (see Figure 1). This code fetches and instantiates a JavaScript-based mining component from the CoinHive server and initiates browser-based CryptoMining within the visitor’s browser. Cryptocurrency mining is a resource-intensive process that can consume more than 70% of CPU power, resulting in reduced system performance.

Protecting against these attacks is as simple as adding the domain hosting the CryptoMining script to a blacklist. This was easily achieved by blocking access to that domain via IPS.

Use proxy

Attackers bypassed firewall rules by employing approaches such as proxies and URL randomization to evade domain-based detection. The attackers also leveraged legitimate content delivery services such as Github and Pastebin to host coin mining scripts.

Figure 2 shows a code snippet from an actual attack in which a proxy domain acts as a gateway to forward mining payloads.

Figure 2: The website loads a script hosted on a proxy server.

With so many proxy domains being created every day, it becomes impossible to keep firewall/IPS rules updated. This issue was addressed through a web browser extension to protect against cryptojacking attacks. Some of the early expansions were ‘No Coin’ and ‘MinerBlock’. These extensions primarily relied on crowdsourced blacklists (e.g. ‘nocoin-list’) consisting of domains and URLs hosting CryptoMining scripts.

Use Proxies and Obfuscation Methods

Anti-virus (AV) scanning engines quickly caught on and added script- and object-based detection that were effective in detecting mining scripts hosted behind proxies. To overcome these obstacles, attackers have begun using open source obfuscators such as https://obfuscator.io/ to obfuscate JavaScript code. These tools can create complex obfuscations that disguise object names and even values. This helped attackers hide their mining code from AV signature-based detection. Obfuscation is used at various stages of a cryptojacking attack to make detection more difficult.

Figure 3 below shows an example of how obfuscated miner code is hosted behind a proxy server.

Figure 3: Website loads an obfuscated script hosted behind a proxy server.

Attackers often leverage the full power of a CPU to maximize the revenue generated from mining activities. This allowed the AV Engine to leverage behavioral signatures to identify mining activity by monitoring the CPU usage patterns of all browser instances. AV can terminate the browser instance performing CryptoMining.

Combination of Proxies, Obfuscation, and Restrictions

Attack techniques have also evolved to remain completely stealthy from both users and detection technologies. Instead of utilizing 100% CPU every time, we started randomizing CPU consumption in the 40-80% range to ensure there was no noticeable performance impact to users. This approach reduced the revenue generated per user somewhat, but allowed campaigns to run for longer periods of time without being detected.

Figure 4 shows the configuration used to control CPU consumption during mining. Throttle 0.2 means mining activities will consume 80% of CPU resources.

Figure 4: Cryptojacking code uses restricted parameters.

For more details and examples of attacks using these techniques, see our previous blog post, The Friendly CryptoMiner Story.

Stay protected with Qualys BrowserCheck CoinBlocker.

Based on our research, Qualys Malware Research Labs developed Qualys BrowserCheck CoinBlocker, a free Chrome web browser extension.

Supports advanced JavaScript scanning along with domain blacklists and whitelists to identify and block malicious JavaScript functions. The extension has the ability to detect obfuscated JavaScript components hosted behind a proxy.

As new attacks emerge, our R&D team analyzes them and devises new detection techniques that are incorporated into new extension updates. We always protect our users from these new attacks.

Related

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

LayerZero Outlook: ZRO Price Imminent Ahead of $43 Million Token Unlocking.

October 21, 2025

BitDCA Staking Agreement Audit Summary

October 19, 2025

The Great Inheritance and Crypto: What you need to know.

October 17, 2025
Add A Comment

Comments are closed.

Recent Posts

Bitcoin Futures Traders Return to Pumping BTC: Will It Last?

October 21, 2025

Bank of England to introduce stablecoin regulations by 2026

October 21, 2025

LayerZero Outlook: ZRO Price Imminent Ahead of $43 Million Token Unlocking.

October 21, 2025

Bombastic Casino Unveils New Design And Enhanced Features

October 21, 2025

Leading A New Era Of AI Model Training And Digital Computing Power Contracts

October 21, 2025

Earn 15% APR With Flexible Redemption And Up To 2,926 USDT

October 21, 2025

Crypto Market Recovers As Liquidity Returns — Pepeto Announces $700K Giveaway And 221% Staking Rewards

October 21, 2025

6 Best AI Quant Apps: Smarter Automated Trading Solutions for the Modern Investor

October 21, 2025

Start Passive Crypto Income At Zero Cost

October 21, 2025

Limitless Prediction Market Closes $10M Seed Round Ahead Of LMTS Token Launch

October 20, 2025

Whale.io Introduces Crock Dentist Game And Exclusive RWA NFT Collection

October 20, 2025

Crypto Flexs is a Professional Cryptocurrency News Platform. Here we will provide you only interesting content, which you will like very much. We’re dedicated to providing you the best of Cryptocurrency. We hope you enjoy our Cryptocurrency News as much as we enjoy offering them to you.

Contact Us : Partner(@)Cryptoflexs.com

Top Insights

Bitcoin Futures Traders Return to Pumping BTC: Will It Last?

October 21, 2025

Bank of England to introduce stablecoin regulations by 2026

October 21, 2025

LayerZero Outlook: ZRO Price Imminent Ahead of $43 Million Token Unlocking.

October 21, 2025
Most Popular

Ethereum: Analyzing whether we see $4.8K in ETH

June 10, 2024

The options market predicts the possibility of Bitcoin reaching $100,000.

April 9, 2024

Bitcoin falls 3% on false SEC spot Bitcoin ETF approval

January 9, 2024
  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
© 2025 Crypto Flexs

Type above and press Enter to search. Press Esc to cancel.