Cryptojacking, a compound word for Cryptocurrency and Hijacking, is a cybercrime where an attacker uses malicious links to lure victims into a website that loads cryptomining Javascript, infects their computers, and then uses their resources to mine cryptocurrency. The number of malicious mining codes installed without the user’s knowledge has rapidly increased. As a result, companies affected by this type of attack could experience network disruptions and face excessively high fees for cloud services.

Using browser-based cryptocurrency mining, attackers can easily infect a system with just a few lines of Javascript. CoinHive and DeepMiner are commonly utilized tools by hackers for this purpose. While the incidence of cryptojackings through these miners has decreased, the Criminal IP Team has discovered that many PCs remain infected.

How to Search for CoinHive Miner on Criminal IP Asset Search

When searching for “CoinHive” using Criminal IP Asset Search, 14,590 IP addresses are displayed, all of which may be considered infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.

The way the CoinHive miner operates, primarily mining Monero (XMR), is by running Javascript code once a user accesses an infected website. It then utilizes the user’s available CPU power to start cryptocurrency mining. If there are 10 to 20 active miners on a server, they can expect to make an average monthly profit of about 0.3 XMR (~$109).

The following are the keywords we used to look for CoinHive Miner.

“CoinHive”

“CoinHive.Anonymous”

“coinhive.min.js”

“CoinHive” 키워드로 검색한 결과, CoinHive Miner Bot이 삽입된 사이트의 IP 주소가 보여진다.

Result when searching for the keyword “CoinHive” on Criminal IP Asset Search

A website infected by CoinHive Miner

The image below is a Javascript code accessing the CoinHive server.

The default name for the CoinHive JS library files is “coinhive.min.js”, although it may sometimes be used with different names. To obtain the most accurate results on Criminal IP, it is essential to confirm the presence of the CoinHive.Anonymous” string.

CoinHive Miner를 작동시키는 Javascript 코드

Javascript code that runs CoinHive Miner

You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.

How to Search for DeepMiner on Criminal IP

DeepMiner, another popular cryptominer, is also an open source Javascript-based miner to mine cryptocurrencies like XMR and ETN. The filter to look for DeepMiner is similar to the one used for CoinHive and with this, you can search for about 50 websites on Criminal IP Asset Search.

“deepMiner.Anonymous”

“jqueryeasyui.js”

“deepMiner.Anonymous” 키워드로 검색한 결과

Result when searching for the keyword ‘deepMiner.Anonymous’ on Criminal IP Asset Search

A website infected by DeepMiner

One unique thing about DeepMiner Javascript source code is that its Javascript library name is ‘jqueryeasyui.js’ which is similar to the jQuery library name. This causes confusion and makes it difficult for the public to detect.

DeepMiner Bot을 작동시키는 Javascritpt 소스코드

Javascript source code that runs DeepMiner Bot

How to Search for Crypto-Loot Bot on Criminal IP

Crypto-Loot is a mining bot that competes with CoinHive. When searching for the keyword “CRLT.Anonymous” on Criminal IP Asset Search, 1,209 results are displayed, but many of these servers have a 403 forbidden status for their server code.

“CRLT.Anonymous”

“crypta.js”

CryptoLoot Miner 전체 검색결과

Result when searching for the keyword “CRLT.Anonymous” on Criminal IP Asset Search

As 403 Forbidden sites do not provide much information, it is recommended to narrow the search results to only 200 OK servers to find the infected servers.

서버 응답코드 200 OK CryptoLoot 마이너만 출력

Search result after narrowing down to only 200 OK Crypto-Loot miners

“CoinHive” 키워드로 검색한 결과, CoinHive Miner Bot이 삽입된 사이트의 IP 주소가 보여진다.

Javascript source code that runs Crypto-Loot Miner Bot

How to Search for CoinIMP Bot on Criminal IP

CoinIMP is a browser-based cryptocurrency mining script that can be installed on vulnerable Drupal websites by infecting their index.php files. Once installed, it starts mining cryptocurrencies when visitors browse the website’s main page. When searched on Criminal IP Asset Search, 389 sites were found.

“Client.Anonymous”

CoinIMP BotDeepMiner Bot을 작동시키는 Javascritpt 소스코드

Javascript source code that runs CoinIMP Bot

CoinIMP Miner is different from previously mentioned mining bots in that its JS file names are always randomly generated, making it difficult to detect using simple file names. In addition, CoinIMP Miner is particularly concerning because it can consume up to 30% of a victim’s CPU resources, which is much higher than other cryptojackings.

CoinIMAP Miner Bot을 작동시키는 Javascritp 소스코드

Javascript source code that runs CoinIMP Miner Bot

CoinIMAP Miner를 로드시키는 JS 파일명은 랜덤하게 생성되어 불규칙적임

The JS file name that loads CoinIMP Miner is randomly generated, making it irregular in form.

Recently, there have been reports of malware called “Denonia” that installs a CryptoMiner in AWS cloud environments. Although it is uncertain whether the following website is infected by Denonia, a message believed to be left by a hacker was found on Criminal IP.

AWS ECS 컨테이너에 크립토마이너가 설치된 사례

AWS ECS container with installed CryptoMiner

It is possible that Amazon ECS (Elastic Container Service) has been infected by the installation of Coin Miner. This may have been done through the functionalities of AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.

AWS 람다(Lambda)를 이용해 ECS 컨테이너에 Miner를 설치한 화면

Screenshot of a website after installing a miner in an ECS container using AWS Lambda

Cryptojacking is a silent cybercrime that can seriously affect individuals and companies. Attackers use malicious links to infect computers with cryptomining Javascript, using the victims’ resources to mine cryptocurrency without their knowledge. Unfortunately, browser-based cryptocurrency mining has made it easy for attackers to infect systems with just a few lines of code, and commonly utilized tools like CoinHive, DeepMiner, Crypto-Loot, and CoinIMP have caused widespread infections. However, tools like Criminal IP Asset Search can help individuals and companies detect these mining bots and protect their systems from further attacks. Therefore, it is important to remain vigilant and regularly check for the presence of these mining bots on your systems to ensure the security of your personal and business data.


Source : Criminal IP