How to Search for CoinHive Miner on Criminal IP Asset Search
Upon searching for “CoinHive” on Criminal IP Asset Search, we can see about 14,590 IP addresses and all of them can be seen as infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.
The following are the keywords we used to look for CoinHive Miner.
The CoinHive JS library files are named “coinhive.min.js” by default, but it can sometimes be used with different names. Therefore, to get the most accurate result on Criminal IP, it is important to determine the existence of “CoinHive.Anonymous” string.
You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.
How to Search for DeepMiner on Criminal IP
How to Search for Crypto-Loot Bot on Criminal IP
Crypto-Loot, also known as CoinHive’s competitive mining bot, can be found by typing “CRLT.Anonymous” on Criminal IP Asset Search. Of about 1,209 searched servers, however, most of them are 403 forbidden.
Since 403 Forbidden sites don’t give much information, you can find actual infected servers by narrowing down your search result to only 200 OK servers.
How to Search for CoinIMP Bot on Criminal IP
CoinIMP, another browser-based cryptocurrency mining script, is designed to run when visitors browse the main page after attackers infect the index.php files on vulnerable Drupal website. Around 389 websites were found.
Unlike previously exemplified mining bots, CoinIMP Miner JS file names are always generated by random strings, making it difficult to detect with simple file names. Additionally, the reason CoinIMP Miner is especially problematic is that it can consume up to 30% of victims’ CPU resources, in contrast to other cryptojackings.
Recently, there have been reported cases of whatsocalled “Denonia” Malware that installs CryptoMiner in AWS cloud environments. Even though it is uncertain if the following website is infected by Denonia, a message left by who believed to be a hacker was found on Criminal IP.
We cannot ignore the possibility that Amazon ECS(Elastic Container Service) might have been infected by installing Coin Miner through the functionalities of AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.
Source : Criminal IP