A new round of gray mining - browser mining

With the advent of javascript miners, hackers have significantly expanded their opportunities for parasitic cryptocurrency mining.

Gray mining, or simply using user devices to mine cryptocurrencies for the benefit of attackers, is still one of the most popular hacking targets because... brings quite a quick and considerable income to hackers. We have already talked about gray mining in our articles "Take care of your resources: Miners are attacking" and "Gray mining - what is it?".

More and more new options

In the summer of 2017, an event occurred that gave a new impetus to the development of parasitic mining - the javascript miner Coinhive, designed for Monero mining, entered the market. Website owners, by connecting to the Coinhive service and placing the appropriate code on their website, can earn additional income by using the computing power of resource visitors - while the user is on the website, his browser mines Monero for the website owner. At the moment, according to publicwww.com this service is used on more than 20 thousand sites. Coinhive was conceived as an opportunity for resource owners to refuse annoying advertising that steals space on the site, and earn income through mining.

So, in September 2017, one of the most famous torrent trackers “The Pirate Bay”, while looking for alternatives to making money from advertising, tested a mining script for 24 hours. At the end of the same month, almost all sites belonging to the Ukrainian Media Holding company (Korrespondent.net, Football.ua, iSport.ua, Tochka.net) tried hidden mining, but, after complaints from users on social networks, the mining script was removed from all resources of the holding. Even the Internet provider that provides Internet access, the Starbucks coffee chain in Buenos Aires, did not disdain the opportunity to make money by mining Monero on the devices of its visitors while they logged in to the network.

Unfortunately, quite quickly, the script from Coinhive turned into the most common unwanted software (malware) and after hacking was noticed even on such highly visited resources as The Los Angeles Times, Blackberry, Politifact and Showtime.

Coinhive receives 30% of all cryptocurrency mined using their script. Most often, they quickly respond to messages (only directly from the owners of hacked resources) about the misuse of their service by attackers and block the hacker’s account, but at the same time, the work of the script on the hacked site does not stop and Coinhive begins to take 100% of what was mined. Their technical specialists are still working on eliminating this flaw in the system, but so far “cannot,” in their words, find an effective solution.

Hidden capabilities

Since the advent of javascript miners, hackers have another incentive to hack web servers - after all, you can not only run a miner on the server itself, but on all sites hosted on it invisibly install a script miner, which will be invisible to the owner of the resource to mine Monero for attacker for quite a long time. Websites running on WordPress, Magento, OpenCart, and Drupal engines are most often hacked. At the same time, the site owner, most often, is not even aware of the hacking because... This hack has practically no external signs. In order to protect themselves from such troubles, site administrators need to constantly update server software and site engines, install the latest security patches and regularly monitor changes to files and data on servers.

But, it is even more effective to infect not just a website, but a content provider site, such as a CDN (Content Distribution Network) server or a plugin used by many other resources. In this case, having infected one resource, the attacker immediately infects all sites using this plugin.

So, on February 11, 2018, the Browsealoud plugin from the texthelp manufacturer, which makes sites easier to understand for people with vision problems, was infected. The Coinhive miner code was obfuscated and embedded in the body of the plugin and was thus immediately displayed on more than 4,200 sites, including some US and UK government resources (uscourts.gov, legislation.qld.gov.au, manchester.gov.uk, gmc-uk.gov), as well as the developer’s website itself. The modified plugin worked for 4 hours before it was noticed by texthelp’s automated security tests. The plugin was immediately disabled on all resources using it until the investigation was completed.

In addition, attackers once even managed to sneak the miner code into the Google advertising network. In the second half of January 2018, the first mentions of anti-virus programs being triggered when visiting YouTube appeared. A few days later, Trend Micro analysts confirmed the presence of the Coinhive mining script in the ads, hosted on YouTubeby Google's DoubleClick advertising platform. The advertising campaign peaked on January 23-24, after which it was blocked.

In April 2018, a critical vulnerability was disclosed for one of the most popular platforms for website development, Drupal - Drupalgeddon 2.0. This vulnerability allowed an attacker to execute arbitrary code on the attacked resource, thereby allowing them to take control of at least one website, and at most the entire server. It was this vulnerability that the authors of Kitty, the newest gray miner based on open software for browser-based mining webminerpool, took advantage of to penetrate vulnerable servers. By infiltrating the server, Kitty opens up another opportunity for greater access for its authors, and also creates a regularly running cronjob on the server that downloads a fresh version of itself once a minute, which gives the hacker the ability to quickly update Kitty and reconfigure the servers that are under his control. After final consolidation in the depths of the system, Kitty launches one of the versions of the xmrig miner, which mines Monero. The infection script then proceeds to add a browser-like flavor to all pages of the site, injecting me0w.js JavaScript loading into the Drupal templates.. The script ends its work with a heartfelt inscription that cannot leave cat lovers indifferent: “me0w, don’t delete pls i am a harmless cute little kitty, me0w” (meow, don’t delete, please, I’m a harmless cute little kitten, meow).

In addition to the major attacks and isolated hacks described above, the introduction of miners to users of public networks always remains relevant. This type of hacking was called CoffeeMiner and was described in detail in the article "CoffeeMiner: Hacking WiFi to inject cryptocurrency miner to HTML requests" by an independent information security specialist known as Arnau. Its principle is based on man-in-the-middle (MitM) attacks, and its target is any device connected to a hacked WiFi network. 

The attacker injects javascript code into any page loaded via HTTP, which quietly extracts cryptocurrency for its author. The most effective cure for this type of gray mining, as well as for many other problems, is to use your own VPN when connecting to any public networks.

The exit is where the entry is.

At the moment, Coinhive is no longer a monopolist in the browser-based mining market. Several more solutions based on it appeared, as well as proprietary developments that were never made available to the public. That is why the issue of protection against browser mining will remain open for a long time. How to protect yourself from gray javascript mining? There are several ways to do this. The most radical of them is todisable Javascript in the browser settings. 

This method is the most effective, but, unfortunately, respectable sites that use javascript for full functioning (and these are the majority at the moment) also suffer from it. Another reliable solution is to use ad blockers, antiviruses and special browser extensions (for example, minerBlock or NoCoin).

For example, Adblock PRO blocks the miner from Coinhive out of the box. But the authors of the miner do not stand still - they are constantly improving the camouflage of the script, making the task more difficult for antiviruses, so we always recommend using the latest versions of system and antivirus software.