Yuchen Zhou, Jun J. Wang, Wayne Xin, Weiland Xu Oct 17, 2018 at 12:00 AM
Cryptocurrencies have taken the world by storm, from the fattest player Bitcoin to newcomers such spil Monero and Ethereum. Cryptocurrency mining has thus become a hot industry, from powerful, dedicated mining hardware to exploiting graphics card’s parallel computing power. Recently, browser coin mining has taken off, for a loterijlot of different reasons. Albeit the computing power (vanaf example) is much less than dedicated hardware, being able to exploit many users on various sites more than make up for it. There are already fairly some media coverage on them, such spil Big black cock, and malwarebytes. While wij do not consider crypto-currency mining inwards browsers malicious by itself, it is often time that such mining is going on without the end user’s consent or even skill that makes this practice shady and despicable.
On the official Coinhive homepage, wij found detailed documentation on how to integrate the mining scripts onto any given webstek. Owners can use the effortless version:
or more complicated version that gives control overheen how the end user’s CPU time should be used, e.g. how many threads, should the mining throttle.
Higher thread number and/or lower throttle number will result ter more CPU usage ter client’s browser. With higher CPU occupation percentage, end users will likely practice sluggish behavior and poor practice on the websites.
Tracking Coinhive Integrations
Wij have bot tracking the inclusion of Coinhive mining script (coinhive.minteken.js) for a week, ter our PANDB unknown feed. The number of URLs leading to the download of such similar scripts is astounding. Since wij embarked tracking, wij have seen anywhere from 6K unique URLs to overheen 10K te one single day.
Overall, wij have seen overheen 35,119 unique URLs associated with coinhive.minteken.js. Across thesis URLs, there are a total of 144 IPs and 1,025 hostnames. Based on our observation, the appearance of thesis scripts can be clearly divided into three categories – standalone, voluntary, and compromised.
URLs like this one,
always hosts the following content:
It is worth noting that such URLs are always belong to a jibberish[.]bid domain, with a long trailing set of parameters. Of the 35,119 URLs wij collected, 33,188, or 94.5% are of this category. Te addition, there are 612 URLs leading to the same set of .bid domains, but with much shorter URLs, like hxxp://www.pudptxanhspld[.]bid/static/robots.txt, or even the domain itself: hxxp://www.pudptxanhspld[.]bid/. The fact that robots.txt is hosting the precies same content spil any other longer URLs with seemingly random parameters leads us to speculate that the domain will serve the same coin-mining content to all visitors, overlooking the request parameters or paths. It is interesting to speculate, why did our customer visit such weird, long, random URLs te the very first place? Wij give some of our speculations zometeen ter this blog.
After removing the .bid ones, wij are left with 1,342 URLs, or Three.8% of the corpus. The remaining can be further categorized into the following three groups:
Voluntary: Crypto-mining related sites
Wij found numerous URLs related to coin/crypto/mining keywords. Some of thesis are forums discussing crypto-mining, while others are introducing the concept. Regardless of the purpose of the websites, wij did not find any evidence that such sites are asking user’s consent to mine XMRs.
This category includes sites that obviously want to include coin-mining scripts to monetize. Examples of thesis include movie/porn sites such spil
While they do provide their normal service to the visitors, browsing thesis sites do not speelgoedpop up any sort of warning of coin-mining behavior for the user. A script snippet embedded ter such sites can be found here:
What is more interesting is, that by searching across the entire URL corpus for coinhive.zoogmoeder.js downloads, wij are able to find URLs such spil
which includes xmoviesforyou[.]com spil part of the URL, almost like a referer parameter. Wij are able to verify that
is indeed a valid URL leading to a subpage ter the porn webpagina. That webpagina does include coinhive.zoogmoeder.js, but at the time of our re-confirmation, the inclusion is directly from https://coinhive[.]com/lib/coinhive.minteken[.]js, and the entire pagina does not include any references to a suspicious .bid domain/URL. Wij speculate that the porn webstek URL may have included an iframe leading to the .bid domain, which then triggers the download of coinhive.zoogmoeder.js. However, this mechanism may have bot straks abandoned te favor of ongezouten inclusion.
Another group of sites seem to have fallen victims of malicious script injection into their vulnerable servers. Wij found that www.livetruemoney[.]com uses up 100% of user’s CPU time. Upon closer investigation, wij found that this webpagina is hosting numerous copies of coinhive.minteken.js, toward the top and bottom of the pagina. Similar situation happens te www.comptesofficiels[.]com/, where the snippet is injected outside of <,figure>, tag (a common symptom for injected content), spil goes after:
It is fairly possible that crypto-mining has become a fresh injection vector te addition to traditional exploit kits redirections.
Eventually, wij have also seen some typo-squatting/phishing domains serving coinhive.minus.js. Examples include analytics-google[.]nipt/track.php, and www-bank[.]ru.
Actor/Mining Configuration Analysis
According to our observation, coin mining integration scripts are uncommonly obfuscated, which means wij can samenvatting the anonymous ‘webpagina key’ and their configurations lightly. Vanaf Coinhive’s documentation, the ‘webpagina key’ is a unique identifier to indicate which beneficiary will be paid, therefore, the attacker has no incentive to garble this field. Here are some interesting stats about the actors and their configurations.
There is a clear winner at the top – ID t3z562mp2zg1lia7rujy19d67woezmjj claiming 35,742 overheen 36,842 of all the IDs wij were able to retrieve. Remarkably, querying a webstek source code search engine like publicWWW only comebacks 13 results (mostly .bid domains). The remote 2nd and third scored 370 and 119 occurrences respectively, along with 8 other IDs topping Ten occurrences. A long tail (146) of IDs only have 1 appearance te our dataset, and thesis are possibly category Two or Three ter our integration screenplays described above – mining would benefit themselves rather than a campaign proprietor.
With no verrassing, webpagina key possessor t3z562mp2zg1lia7rujy19d67woezmjj has all the .bid URLs pointing to this payee. Te addition, there are URLs such spil
also using the same webpagina key. Passive DNS analysis exposes that this IP actually wasgoed mapped to serve.popads[.]televisiekanaal, so it is interesting that this particular advertising network may have led to crypto-mining behavior.
Ter this chart, a special case sitekey stands out. There are 151 sites using it, and it is a predefined variable te previous scripts (spil opposed to hardcoded string) so without dynamic analysis wij are not able to retrieve its real content. Wij took a look at a few samples and it seems that sites using the sitekey variable are more often than not serving mining script to benefit themselves.
Wij found only six out of the entire URL population making more than one call to coinhive.Anonymous function (which means they could possibly be compromised by two different adversaries/serving two different payees at the same time). Upon closer inspection, all the calls actually have the same webpagina key, so ter summary wij did not find evidence of one webpagina serving more than one beneficiary. Wij did, however, find out that one webpagina, lottoipros[.]com, is attempting to obfuscate its webpagina key by using elementary Unicode encoding:
Clearly, the webpagina possessor/injector is aware of the risks of exposing its key and is attempting to hide from public scrutiny. If this trend resumes, it will become tighter to use static analysis to detect crypto-mining sites.
The vooraanstaande Actor ID t3z562mp2zg1lia7rujy19d67woezmjj uses default configuration across all of observed URLs, so wij exclude this actor from this analysis to prevent skew. Wij also exclude the 142 sites that use mineropts that go almost hand-in-hand with sites using sitekey spil their webpagina key.
This left us with 827 valid gegevens points. Among thesis, most sites only use 1 thread, by default, however, some sites use spil many spil Four threads to maximize mining speed.