Cryptojacking, a compound word for Cryptocurrency and Hijacking, is a cybercrime where an attacker uses malicious links to lure victims into a website that loads cryptomining Javascript, infects their computers, and then uses their resources to mine cryptocurrency. The number of secretly installed malicious mining codes has been rapidly increasing and, as a result, corporates affected by cryptojacking could face network disruption as well as overwhelming cloud fees.
If attackers use Browser-based Cryptocurrency Mining, in particular, they can easily infect the system with only two or three Javascript lines; CoinHive and DeepMiner are mostly used by hackers. Even though cryptojackings through these miners have decreased, the Criminal IP Team found out that there are still many infected PCs.
How to Search for CoinHive Miner on Criminal IP Asset Search
Upon searching for “CoinHive” on Criminal IP Asset Search, we can see about 14,590 IP addresses and all of them can be seen as infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.
How the CoinHive miner, which mainly mines Monero(XMR), works is that Javascript runs once a user accesses the infected website, and it utilizes its available CPU power to start cyptocurrency mining. With this, if there are 10 to 20 Active Miners on the server, they are estimated to profit about 0.3 XMR(~$109) on average a month.
The following are the keywords we used to look for CoinHive Miner.

Result when searched “CoinHive” as the keyword on Criminal IP Asset Search

A website infected by CoinHive Miner
The image below is a Javascript code accessing the CoinHive server.
The CoinHive JS library files are named “coinhive.min.js” by default, but it can sometimes be used with different names. Therefore, to get the most accurate result on Criminal IP, it is important to determine the existence of “CoinHive.Anonymous” string.

Javascript code that runs CoinHive Miner
You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.
How to Search for DeepMiner on Criminal IP
DeepMiner, another popular cryptominer, is also an open source Javascript-based miner to mine cryptocurrencies like XMR and ETN. The filter to look for DeepMiner is similar to the one used for CoinHive and with this, you can search for about 50 websites on Criminal IP Asset Search.

Result when searched “deepMiner.Anonymous” as the keyword on Criminal IP Asset Search

A website infected by DeepMine
One unique thing about DeepMiner Javascript source code is that its Javascript library name is ‘jqueryeasyui.js’ which is similar to the jQuery library name. This causes confusion and makes it difficult for the public to detect.

Javascript source code that runs DeepMiner Bot
How to Search for Crypto-Loot Bot on Criminal IP
Crypto-Loot, also known as CoinHive’s competitive mining bot, can be found by typing “CRLT.Anonymous” on Criminal IP Asset Search. Of about 1,209 searched servers, however, most of them are 403 forbidden.

Result when searched “CRLT.Anonymous” as the keyword on Criminal IP Asset Search
Since 403 Forbidden sites don’t give much information, you can find actual infected servers by narrowing down your search result to only 200 OK servers.

Search result after narrowing down to only 200 OK Crypto-Loot miners

Javascript source code that runs Crypto-Loot Miner Bot
How to Search for CoinIMP Bot on Criminal IP
CoinIMP, another browser-based cryptocurrency mining script, is designed to run when visitors browse the main page after attackers infect the index.php files on vulnerable Drupal website. Around 389 websites were found.

Javascript source code that runs CoinIMP Bot
Unlike previously exemplified mining bots, CoinIMP Miner JS file names are always generated by random strings, making it difficult to detect with simple file names. Additionally, the reason CoinIMP Miner is especially problematic is that it can consume up to 30% of victims’ CPU resources, in contrast to other cryptojackings.

Javascript source code that runs CoinIMP Miner Bot

Randomly generated JS file name that loads CoinIMAP Miner
Recently, there have been reported cases of whatsocalled “Denonia” Malware that installs CryptoMiner in AWS cloud environments. Even though it is uncertain if the following website is infected by Denonia, a message left by who believed to be a hacker was found on Criminal IP.

AWS ECS container with installed CryptoMiner
We cannot ignore the possibility that Amazon ECS(Elastic Container Service) might have been infected by installing Coin Miner through the functionalities of AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.

Website after installing Miner in the ECS container using AWS Lambda
Source : Criminal IP
[…] Cryptojacking : Your Device is Mining Crypto Behind Your Back […]
[…] submitted by /u/cheeztoshobo [link] […]
[…] by /u/cheeztoshobo [link] […]
[…] Furthermore, since government IT assets is host to sensitive information such as personal data and national secrets, investing in Attack Surface Management is a must to keep data secure. We recommend users to supplement their current understanding regarding the severity of this issue by reading Criminal IP’s comprehensive post on cryptojacking. […]
[…] For more content related to this discussion, check out this article about Cryptojacking, and how your device could potentially be mining crypto behind your back. […]
[…] Please refer to our search tip article on detecting exposed Redis commander and analysis article on cryptocurrency mining malicious code. […]