The Next Stage of Cryptojacking: How New Crime Evolves

Cryptojacking is the secret use of your device’s resources to mine cryptocurrencies. There are several forms of cryptojacking, including in-browser mining, hacked apps, and background malware.

Cryptojacking gained traction in September 2017, when Coinhive offered its JavaScript code as an alternative to regular advertising.

The idea is simple – a website adds a special code to its page, and when people visit that website, their web browsers start to run the Coinhive code whose primary goal is to perform the mathematical calculations needed for mining cryptocurrencies. This process is resource-intensive and causes computers’ CPUs to spike and load to their maximum.

Several big websites tried to monetize their traffic using Coinhive but received negative comments from their visitors who did not want to get their machines and CPUs overloaded. The worst part of this is that the in-browser mining was started secretly, without users being notified or given the opportunity to opt out.

While Coinhive later released AuthedMine, which always asks website visitors if they wish to allow in-browser mining, numerous cybercriminals had already caught the gist and started to employ Coinhive in their operations.

Even ransomware payloads, which were once the top malware, have become less profitable than cryptojacking as hackers have largely shifted from deploying ransomware to dropping miners. Most often, they do so using hacked websites.

Malware researchers started to track cryptojacking and have provided interesting news on how it’s evolved during the short period since September. This first phase of cryptojacking attacks showed the growing interest in this area among various bad actors.

Initially, hackers mainly inserted Coinhive’s code containing their website keys (user IDs received from Coinhive) into hacked sites. Sometimes they injected the Coinhive miner into websites’ headers, and some crooks managed to hack WordPress plugins and put the rogue miner there. As a result, all websites using those plugins started to simultaneously earn and send Monero to hackers’ wallets.

Due to the fact that the Coinhive web domain landed on multiple blacklists, cybercriminals started to avoid connecting to the library file located at coinhive.com/lib/coinhive.min.js. To achieve that, they placed this file on multiple third-party websites.

A number of initiatives to avoid coinhive.com appear quite unsophisticated. For instance, one was to inject the entire library code – which weighs dozens of kilobytes – into websites.

In any event, submitting the Coinhive library code (even if it is obfuscated) to another website still involves making requests to Coinhive’s domain, so it is very simple to discover and block such attacks. Later, though, hackers started employing more serious obfuscation.

As to hosting their malware, crooks started to utilize free services and tools that are popular among most developers like Now.sh, Heroku, and of course GitHub.

Nonetheless, Coinhive is not the sole means of placing a cryptocurrency miner onto a site. The actual know-how is public knowledge, so a lot of hackers have created their own unique apps, including mining platforms, in order to engage in cryptojacking.

It is obvious that self-hosted applications are more advantageous than Coinhive’s miner or its alternatives. Ultimately, they are much more adjustable for attackers. They can help them steer clear of blacklists through the use of their own domains (changing them every time they need to.)

You may configure the whole thing as you like, thereby making it function optimally with your attack plan. In addition to the above, crooks avoid giving away fees to solutions like Coinhive (whose fee is around 30%.)

Once such an approach turns out to be profitable, miners will probably become custom-built to operate in the dark web (with auto obfuscation, domain switching, and revenue sharing) and sooner or later be incorporated into exploit kits.

If companies like Coinhive continue to disallow misuse of their solutions, this might be a breakup moment for legitimate and malicious miners. Time will tell if this forecast is correct. At this time, it is obvious that cryptojacking is among the fastest-growing types of website hacks as we march into 2018.