The state of malicious cryptomining – Malwarebytes Labs, Malwarebytes Labs

Posted: February 26, 2018 by Jerome Segura

Last updated: March 6, 2018

While cryptocurrencies have bot around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unluckily, the same benefits suggested by thesis decentralized and somewhat anonymous digital currencies were quickly manhandled to extort money, spil wasgoed the case during the various ransomware outbreaks we’ve witnessed te the last few years.

Spil the value of cryptocurrencies—driven by the phenomenal rise of Bitcoin—has enlargened significantly, a fresh zuigeling of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world overheen are drawn to it like moths to a flame. The emergence of a multitude of fresh cryptocurrencies that can be mined by average computers has also contributed to the widespread manhandle wij are witnessing.

Malwarebytes has bot blocking coin miners with its numerous protection modules, including our real-time scanner and web protection technology. Everzwijn since September 2018, malicious cryptomining has bot our top detection overall.

Cryptomining malware

To maximize their profits, threat actors are leveraging the computing power of spil many devices spil they can. But very first, they vereiste find ways to produce the malicious coin miners on a large enough scale.

While the Wannacry ransomware wasgoed very publicized for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least two different groups used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars ter revenue.

Figure 1: Worm scanning random IP addresses on port 445

Other vulnerabilities, such spil a flaw with Oracle’s WebLogic Server (CVE-2018-10271), were also used to produce miners onto servers at universities and research institutions. While Oracle released a patch ter October 2018, many did not apply it te a timely style, and a PoC only facilitated widespread manhandle.

Spil it turns out, servers toebijten to be a beloved among criminals because they opoffering the most horsepower, or to use the zindelijk term, the highest hash rate to crunch through and solve the mathematical operations required by cryptomining. Te latest times, wij spotted individuals who, against their better judgement, took this to the next level by using supercomputers ter various critical infrastructure environments.

Spam and exploit kits campaigns

Even malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added te a coin miner module.

Interestingly, the Trickbot authors had already expanded their banking Trojan to steal credentials from Coinbase users spil they logged into their electronic wallet. The modular nature of their malware is certainly making it lighter for them to proef with fresh schemes to make money.

Figure Two: Document containing macro that downloads the TrickBot malware

Several exploit kits, and Equipment EK te particular have bot distributing miners, usually via the intermediary of the SmokeLoader malware. Ter fact, cryptominers are one of the most commonly served payloads te drive-by download attacks.

Figure Trio: An iframe redirection to Equipment EK followed by a noticeable coin miner infection

Mobile and Mac cryptominers

Mobile users are not immune to cryptomining either, spil Trojanized apps laced with mining code are also commonplace, especially for the Android toneel. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such spil SMS spam and of course miners.

Figure Four: Source code for the mining component within an Android APK

Legitimate mining pools such spil Minergate are often used by those Android miners, and the same is true for Mac cryptominers. The usual advice on sticking to official websites to download applications applies but is not always enough, especially when trusted applications get hacked.

Figure Five: Malicious Mac application launching a Monero miner

Drive-by cryptomining

Ter mid-September 2018, a mysterious entity called Coinhive launched a fresh service that wasgoed about to create puinhoop on the web, spil it introduced an API to mine the Monero currency directly within the browser.

While in-browser miners have taken off because of Coinhive’s popularity, they had already bot tested a few years ago, mostly spil proof-of-concepts that did not develop much further. There is, however, the legal precedent of a group of students at MIT who got sued by the state of Fresh Jersey for their coin mining attempt—called Tidbit—proposed spil an alternative to traditional display advertising.

No opt-in by default

Within weeks, the Coinhive API, void of any safeguards, wasgoed manhandled ter drive-by cryptomining attacks. Similar to drive-by downloads, drive-by mining is an automated, silent, and toneel agnostic mechanism that compels visitors to a webstek to mine for cryptocurrency.

Wij witnessed an interesting campaign that wasgoed specifically designed for Android and drew millions of users to pages that instantly commenced to mine for Monero under the pretense of recouping server costs. Even however mobile devices aren’t spil powerful spil desktops, let alone servers, this event displayed that no one is immune to drive-by mining.

Figure 6: An in-browser miner for Chrome on Android

Malvertising wasgoed once again a major factor te spreading coin miners to a large audience, spil wij eyed with the YouTube case that involved malicious ads via DoubleClick. Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their plugins compromised and injected with a Coinhive script, leading to hundreds of government websites te the UK unwillingly participating ter malicious cryptomining activity.

To fend off criticism, Coinhive introduced a fresh API (AuthedMine) that explicitly requires user input for any mining activity to be permitted. The idea wasgoed that considerate webstek owners would use this more “ethical” API instead, so that their visitors can knowingly opt-in or out before engaging ter cryptomining. This wasgoed also an argument that Coinhive waterput forward to defend its stance against ad blockers and antivirus products.

While only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API wasgoed slightly used (40K/day) te comparison to the silent one (3M/day), spil pictured te the below histograms during the period of January Ten to February 6.

Figure 7: Usage statistics for the opt-in version of Coinhive

Figure 8: Usage statistics for the silent version of Coinhive

Moreover, even websites that do use the opt-in option may still be crippling machines by running an unthrottled miner, spil wasgoed the case with popular American news webstek Salon[.]com.


Several copycats emerged te the wake of Coinhive’s instantaneous success. According to our stats, coin-have[.]com is the 2nd most popular service, followed by crypto-loot[.]com. While Coinhive takes a 30 procent commission on all mining earnings, Coin Have advertises the lowest commission rates te the market at 20 procent, albeit CryptoLoot itself claims to pay out 88 procent of mined commissions.

Ter additions to thicker payouts, other “attractive” features shoved by newcomers are low payment thresholds and the capability to bypass ad blockers, which they often view spil their number one threat.

Figure 9: Two of the most popular Coinhive copycats

Browsers and technologies manhandled

Contrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness te the sense that it can potentially reach a much broader audience but is also more ephemeral ter nature.

For example, if a user navigates away from the webstek they are on or closes the offending tabulator, that will cause the mining activity to zekering, which is a major drawback. However, wij observed that some miners have developed sneaky ways of making drive-by mining persistent, thanks to the use of pop-unders, a practice well-known te the ad fraud business. To add insult to injury, the malicious pop-under tabulator containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their laptop.

Another way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code ter each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised.

Figure Ten: The compromised extension with a rogue JavaScript for Coinhive

It is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, wij have observed WebAssembly, a newer format available te modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a loterijlot quicker and more efficient than JavaScript.

Figure 11: Code snippet from a WebAssembly module designed for mining Monero

While drive-by mining typically happens via the standard HTTP protocol—either via HTTP or HTTPS connections—we have witnessed more and more examples of miners communicating via WebSockets instead.

Figure 12: A Web Socket connection to Coinhive

A WebSocket is another communication protocol that permits flows of gegevens to be exchanged. There is an initial handshake request and response with a remote server followed by the actual gegevens rivulets. Coin mining code packaged within a secure (wss) WebSocket is more difficult to identify and block.


Spil the threat landscape resumes to evolve, its connections to real-world trends become more and more evident. Malware authors are not only loving the relative anonymity provided by digital currencies but also want to amass them.

Cryptomining malware provides a good use case for leveraging the size and power of a botnet te order to perform CPU-intensive mining tasks without having to bear the costs incurred ter the process. Ter some opzicht, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly makeshift.

While malicious cryptomining shows up to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could gravely disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the volmaakt alibi for advanced threat actors.

Malwarebytes users, regardless of their toneelpodium, are protected against unwanted cryptomining, whether it is done via malware or the web.

Related movie: The Fattest Bitcoin Mining Farm ter the USA

Leave a Reply

Your email address will not be published. Required fields are marked *