Cryptojacking, a compound word for Cryptocurrency and Hijacking, is a cybercrime where an attacker uses malicious links to lure victims into a website that loads cryptomining Javascript, infects their computers, and then uses their resources to mine cryptocurrency. The number of secretly installed malicious mining codes has been rapidly increasing and, as a result, corporates affected by cryptojacking could face network disruption as well as overwhelming cloud fees.

If attackers use Browser-based Cryptocurrency Mining, in particular, they can easily infect the system with only two or three Javascript lines; CoinHive and DeepMiner are mostly used by hackers. Even though cryptojackings through these miners have decreased, the Criminal IP Team found out that there are still many infected PCs.

How to Search for CoinHive Miner on Criminal IP Asset Search

Upon searching for “CoinHive” on Criminal IP Asset Search, we can see about 14,590 IP addresses and all of them can be seen as infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.

How the CoinHive miner, which mainly mines Monero(XMR), works is that Javascript runs once a user accesses the infected website, and it utilizes its available CPU power to start cyptocurrency mining. With this, if there are 10 to 20 Active Miners on the server, they are estimated to profit about 0.3 XMR(~$109) on average a month.

The following are the keywords we used to look for CoinHive Miner.

“CoinHive”

“CoinHive.Anonymous”

“coinhive.min.js”

“CoinHive” 키워드로 검색한 결과, CoinHive Miner Bot이 삽입된 사이트의 IP 주소가 보여진다.

Result when searched “CoinHive” as the keyword on Criminal IP Asset Search

A website infected by CoinHive Miner

The image below is a Javascript code accessing the CoinHive server.

The CoinHive JS library files are named “coinhive.min.js” by default, but it can sometimes be used with different names. Therefore, to get the most accurate result on Criminal IP, it is important to determine the existence of  CoinHive.Anonymous” string.

CoinHive Miner를 작동시키는 Javascript 코드

Javascript code that runs CoinHive Miner

You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.

How to Search for DeepMiner on Criminal IP

DeepMiner, another popular cryptominer, is also an open source Javascript-based miner to mine cryptocurrencies like XMR and ETN. The filter to look for DeepMiner is similar to the one used for CoinHive and with this, you can search for about 50 websites on Criminal IP Asset Search.

“deepMiner.Anonymous”

“jqueryeasyui.js”

“deepMiner.Anonymous” 키워드로 검색한 결과

Result when searched “deepMiner.Anonymous” as the keyword on Criminal IP Asset Search

A website infected by DeepMine

One unique thing about DeepMiner Javascript source code is that its Javascript library name is ‘jqueryeasyui.js’ which is similar to the jQuery library name. This causes confusion and makes it difficult for the public to detect.

DeepMiner Bot을 작동시키는 Javascritpt 소스코드

Javascript source code that runs DeepMiner Bot

How to Search for Crypto-Loot Bot on Criminal IP

Crypto-Loot, also known as CoinHive’s competitive mining bot, can be found by typing “CRLT.Anonymous” on Criminal IP Asset Search. Of about 1,209 searched servers, however, most of them are 403 forbidden.

“CRLT.Anonymous”

“crypta.js”

CryptoLoot Miner 전체 검색결과

Result when searched “CRLT.Anonymous” as the keyword on Criminal IP Asset Search

Since 403 Forbidden sites don’t give much information, you can find actual infected servers by narrowing down your search result to only 200 OK servers.

서버 응답코드 200 OK CryptoLoot 마이너만 출력

Search result after narrowing down to only 200 OK Crypto-Loot miners

“CoinHive” 키워드로 검색한 결과, CoinHive Miner Bot이 삽입된 사이트의 IP 주소가 보여진다.

Javascript source code that runs Crypto-Loot Miner Bot

How to Search for CoinIMP Bot on Criminal IP

CoinIMP, another browser-based cryptocurrency mining script, is designed to run when visitors browse the main page after attackers infect the index.php files on vulnerable Drupal website. Around 389 websites were found.

“Client.Anonymous”

CoinIMP BotDeepMiner Bot을 작동시키는 Javascritpt 소스코드

Javascript source code that runs CoinIMP Bot

Unlike previously exemplified mining bots, CoinIMP Miner JS file names are always generated by random strings, making it difficult to detect with simple file names. Additionally, the reason CoinIMP Miner is especially problematic is that it can consume up to 30% of victims’ CPU resources, in contrast to other cryptojackings.

CoinIMAP Miner Bot을 작동시키는 Javascritp 소스코드

Javascript source code that runs CoinIMP Miner Bot

CoinIMAP Miner를 로드시키는 JS 파일명은 랜덤하게 생성되어 불규칙적임

Randomly generated JS file name that loads CoinIMAP Miner

Recently, there have been reported cases of whatsocalled “Denonia” Malware that installs CryptoMiner in AWS cloud environments. Even though it is uncertain if the following website is infected by Denonia, a message left by who believed to be a hacker was found on Criminal IP.

AWS ECS 컨테이너에 크립토마이너가 설치된 사례

AWS ECS container with installed CryptoMiner

We cannot ignore the possibility that Amazon ECS(Elastic Container Service) might have been infected by installing Coin Miner through the functionalities of AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.

AWS 람다(Lambda)를 이용해 ECS 컨테이너에 Miner를 설치한 화면

Website after installing Miner in the ECS container using AWS Lambda


Source : Criminal IP