Cryptojacking, a compound word for Cryptocurrency and Hijacking, is a cybercrime where an attacker uses malicious links to lure victims into a website that loads cryptomining Javascript, infects their computers, and then uses their resources to mine cryptocurrency. The number of malicious mining codes installed without the user’s knowledge has rapidly increased. As a result, companies affected by this type of attack could experience network disruptions and face excessively high fees for cloud services.
Using browser-based cryptocurrency mining, attackers can easily infect a system with just a few lines of Javascript. CoinHive and DeepMiner are commonly utilized tools by hackers for this purpose. While the incidence of cryptojackings through these miners has decreased, the Criminal IP Team has discovered that many PCs remain infected.
How to Search for CoinHive Miner on Criminal IP Asset Search
When searching for “CoinHive” using Criminal IP Asset Search, 14,590 IP addresses are displayed, all of which may be considered infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.
The way the CoinHive miner operates, primarily mining Monero (XMR), is by running Javascript code once a user accesses an infected website. It then utilizes the user’s available CPU power to start cryptocurrency mining. If there are 10 to 20 active miners on a server, they can expect to make an average monthly profit of about 0.3 XMR (~$109).
The following are the keywords we used to look for CoinHive Miner.
Result when searching for the keyword “CoinHive” on Criminal IP Asset Search
A website infected by CoinHive Miner
The image below is a Javascript code accessing the CoinHive server.
The default name for the CoinHive JS library files is “coinhive.min.js”, although it may sometimes be used with different names. To obtain the most accurate results on Criminal IP, it is essential to confirm the presence of the “CoinHive.Anonymous” string.
Javascript code that runs CoinHive Miner
You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.
How to Search for DeepMiner on Criminal IP
DeepMiner, another popular cryptominer, is also an open source Javascript-based miner to mine cryptocurrencies like XMR and ETN. The filter to look for DeepMiner is similar to the one used for CoinHive and with this, you can search for about 50 websites on Criminal IP Asset Search.
Result when searching for the keyword ‘deepMiner.Anonymous’ on Criminal IP Asset Search
A website infected by DeepMiner
One unique thing about DeepMiner Javascript source code is that its Javascript library name is ‘jqueryeasyui.js’ which is similar to the jQuery library name. This causes confusion and makes it difficult for the public to detect.
Javascript source code that runs DeepMiner Bot
How to Search for Crypto-Loot Bot on Criminal IP
Crypto-Loot is a mining bot that competes with CoinHive. When searching for the keyword “CRLT.Anonymous” on Criminal IP Asset Search, 1,209 results are displayed, but many of these servers have a 403 forbidden status for their server code.
Result when searching for the keyword “CRLT.Anonymous” on Criminal IP Asset Search
As 403 Forbidden sites do not provide much information, it is recommended to narrow the search results to only 200 OK servers to find the infected servers.
Search result after narrowing down to only 200 OK Crypto-Loot miners
Javascript source code that runs Crypto-Loot Miner Bot
How to Search for CoinIMP Bot on Criminal IP
CoinIMP is a browser-based cryptocurrency mining script that can be installed on vulnerable Drupal websites by infecting their index.php files. Once installed, it starts mining cryptocurrencies when visitors browse the website’s main page. When searched on Criminal IP Asset Search, 389 sites were found.
Javascript source code that runs CoinIMP Bot
CoinIMP Miner is different from previously mentioned mining bots in that its JS file names are always randomly generated, making it difficult to detect using simple file names. In addition, CoinIMP Miner is particularly concerning because it can consume up to 30% of a victim’s CPU resources, which is much higher than other cryptojackings.
Javascript source code that runs CoinIMP Miner Bot
The JS file name that loads CoinIMP Miner is randomly generated, making it irregular in form.
Recently, there have been reports of malware called “Denonia” that installs a CryptoMiner in AWS cloud environments. Although it is uncertain whether the following website is infected by Denonia, a message believed to be left by a hacker was found on Criminal IP.
AWS ECS container with installed CryptoMiner
It is possible that Amazon ECS (Elastic Container Service) has been infected by the installation of Coin Miner. This may have been done through the functionalities of AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.
Screenshot of a website after installing a miner in an ECS container using AWS Lambda
Cryptojacking is a silent cybercrime that can seriously affect individuals and companies. Attackers use malicious links to infect computers with cryptomining Javascript, using the victims’ resources to mine cryptocurrency without their knowledge. Unfortunately, browser-based cryptocurrency mining has made it easy for attackers to infect systems with just a few lines of code, and commonly utilized tools like CoinHive, DeepMiner, Crypto-Loot, and CoinIMP have caused widespread infections. However, tools like Criminal IP Asset Search can help individuals and companies detect these mining bots and protect their systems from further attacks. Therefore, it is important to remain vigilant and regularly check for the presence of these mining bots on your systems to ensure the security of your personal and business data.
Source : Criminal IP
[…] Cryptojacking : Your Device is Mining Crypto Behind Your Back […]
[…] submitted by /u/cheeztoshobo [link] […]
[…] by /u/cheeztoshobo [link] […]
[…] Furthermore, since government IT assets is host to sensitive information such as personal data and national secrets, investing in Attack Surface Management is a must to keep data secure. We recommend users to supplement their current understanding regarding the severity of this issue by reading Criminal IP’s comprehensive post on cryptojacking. […]
[…] For more content related to this discussion, check out this article about Cryptojacking, and how your device could potentially be mining crypto behind your back. […]
[…] Please refer to our search tip article on detecting exposed Redis commander and analysis article on cryptocurrency mining malicious code. […]