If you thought your “secure” browser is blocking all these cryptojacking attempts (perhaps you even installed a cryptoblocker extension), think again. Cryptominers are using other people’s browsers to make bank while getting better at evading detection. What have they been up to recently?
Lately, cryptojackers have found more ways to hog their victims’ computing resources. Chrome browser extensions offered through the Chrome Web Store were discovered to contain mining code. Ubuntu’s own Snap Store has been supplying software with “miners” built in.
One-two punch: ransomware+cryptojacking
Even garden-variety malware now usually comes equipped with miners. A new variant of the Rakhni ransomware now contains a cryptocurrency miner. It uses logical conditions expressed in the environment to determine whether the system should be used to mine, or if it should be ransomed. More details about this new variant can be found here.
Another malware documented here detected as “TROJ64_COINMINER.QO” leverages not only WMI (Windows Management Instrumentation) to remain fileless and persistent, but also the EternalBlue exploit to propagate. Packing this one-two punch, it then reaches its final stage and starts mining away in stealth mode.
Is Cryptojacking the new money maker for cybercriminals? A recent report by researchers at security firm McAfee indicates that much. McAfee Labs count of total coin miner malware rose by 629% in Q1 of 2018 alone, to more than 2.9 million samples.
Another notable player is Coinhive, a popular platform used for legitimate purposes as well as for cryptojacking.
Few hurdles for in-browser miners
Coinhive enables cryptojackers to create a script to load on any webpage that causes visiting browsers to start mining XMR (Monero cryptocurrency) in the background. While Coinhive also provides an authorized mining option, the main attraction for many cryptocurrency “entrepreneurs” is its unauthorized mining mode - no popup, no warning for the victim.
Distribution via hacked websites and online ads
Recent months have seen a wave of site break-ins to embed this script. The site owners themselves may never know, but all their traffic is monetized by cryptojacking networks. In addition to the spiked browser extensions mentioned earlier, there have also been reports of online advertisements containing miners displayed and rendered on sites.
Beware “solutions” that add to the problem
Hide-and-seek, and seek, and seek...
Let’s say that the embedded script comes from Coinhive. It will generally be located here:
coinhive.com/lib/coinhive.min.js Let’s also assume that someone were to take that script and just relocate it, or perhaps wholly reverse engineer it to work with their own site - essentially, setting up a Coinhive clone.
As a result, the script’s location would change and look roughly like this:
Source: MalwareBytes Blog
The outcome is predictable. Browser extensions or AV tools that block such scripts by just grouping domains will miss the mark and are doomed to fail. The cloaked script will tap into your IT resources and keep the crypto money machine humming.
So what if someone caught on to what’s going on? No hurdle for the crypto-racketeers. It takes them less than 15 minutes to buy a new domain, set up a new server, and re-configure the mining script. AV vendors won’t be able to keep track of every domain and server that utilizes cryptocurrency mining.
Obfuscated code, obedient browser
But what about the actual script itself? For cryptomining crooks who don’t want to waste time and money on playing the catch-me-if-you-can domain game, is there a way to just obfuscate the script? The answer is yes. This is how it works:
Let’s assume that the coinblocker extension or AV product is blocking scripts based on their known signature as stored in a database. Meaning, it blocks the way in which the script looks like in plain text and not the actual activity of the script.
There are methods in which an attacker can obscure their code to look different. Here are two sample Coinhive scripts, one plain and one obfuscated:
You probably guessed it already: these two scripts are identical when they are rendered in the browser. This level of obscurity will dupe Coinblocker that are blocking scripts based on their known profiles. The document.write() function directly places the code into the template.
In the next step, the unescape() function decodes the encoded string. Here the string is encoded in hex, but it can be encoded in base64, binary, octal, etc. To make obscurity even more “efficient”, one can obscure in all encodings and decode multiple times. Your browser will do the bidding of the cryptojackers and still render the script equal to its non-encoded counterpart.
To meter or not to meter?
One popular method of detecting browser cryptocurrency mining relies on monitoring CPU/GPU usage. Put simply, if a particular component (like CPU or GPU) on the computer is throttling at a high rate due to a single process, the tool assumes the machine is mining.
Yes, monitoring system components for load spikes can ferret out miners - but will it make much of a difference?
Well, no - not really.
That’s because attackers can easily limit via a percentile how much of a victim’s computer resources the cryptomining script will be allowed to hog. An attacker can, for example, specify that only 50% of the victim’s CPU resources are to be used. This will make it harder for the victim to detect the mining activity. This may also limit the net amount of mined cryptocurrency, but that’s a price attackers are willing to pay for preventing detection.
Attempting to track down all possible forms of cryptojacking is futile. As with other types of malware defense and detection, the defender would always be one step or more behind, because the possibilities for trickery are endless.
What's next, and how to protect yourself
For years, other malware has evaded detection through encryption, loading binaries into memory, process doppelgänging, et al. If it hasn’t done so already, cryptojacking is likely to soon enter that realm of sophisticated evasion methods (comparable to these sandbox busters). Local browsers provide cryptocurrency exploiters with unlimited possibilities, i.e., vulnerabilities.
We should not be surprised if cryptojackers eventually combined exploit kits and mining scripts to get deep inside the browser for elevated mining processes (making GPU mining possible), which in return could yield higher profits.
Cyptocurrency is their reward, and your browser serves as the gateway to the motherload. The only adequate response to this growing threat is to use a hardened browser that runs off-site and isolated in the cloud, with centrally managed and monitored security measures in place that prevent such exploits.
Disconnect from the crypto-mining craze by using a cloud browser. This way, all mining code will get neutralized before it can even reach your IT perimeter, and will never touch the computer you connect from.
Watch this video to see how it works and how you can prevent all cryptocurrency miners from hijacking your browser:
Amir Khashayar Mohammadi is a Computer Science and Engineering major who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors.