{"id":11199,"date":"2018-01-22T23:20:08","date_gmt":"2018-01-23T07:20:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/22\/news-4970\/"},"modified":"2018-01-22T23:20:08","modified_gmt":"2018-01-23T07:20:08","slug":"news-4970","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/01\/22\/news-4970\/","title":{"rendered":"In-browser Cryptojacking at full throttle – A report by Quick Heal Security Labs"},"content":{"rendered":"

Credit to Author: Prashant Kadam| Date: Tue, 23 Jan 2018 06:38:43 +0000<\/strong><\/p>\n

Cryptocurrencies like Bitcoin,\u00a0Monero, Ethereum,\u00a0Litecoin,\u00a0and\u00a0Tezos\u00a0are in\u00a0full\u00a0swing.\u00a0And they have exponentially increased\u00a0cryptocurrency mining\u00a0(or\u00a0cryptomining)\u00a0activities. Previously,\u00a0cryptomining\u00a0was carried out by powerful and dedicated mining hardware or by utilizing distributed computing because\u00a0the\u00a0entire process requires\u00a0a\u00a0lot of computation. However,\u00a0there has been an observable change in the mining trends.\u00a0Now, web browsers are taking part in\u00a0cryptomining\u00a0and its activity is growing because the computing power used in browser mining is\u00a0much less than that require in hardware mining. Using\u00a0web\u00a0browsers to mine cryptocurrency is termed as\u00a0In-browser\u00a0Cryptojacking.\u00a0 Quick Heal\u00a0Security\u00a0Labs\u00a0has come across some\u00a0popular websites\u00a0that are\u00a0compromised with\u00a0the\u00a0Coinhive\u00a0browser mining service. What is\u00a0Coinhive? Coinhive\u00a0is a browser mining service which offers\u00a0a\u00a0Javascript\u00a0miner for\u00a0the\u00a0‘Monero’ blockchain.\u00a0It can be easily embedded in a website. When users access\u00a0a\u00a0Coinhive-injected website,\u00a0the\u00a0miner service is executed in\u00a0the web\u00a0browser and starts mining\u00a0Monero\u00a0XMR’s. We suspect many\u00a0businesses\u00a0use this browser-mining service by integrating a piece of\u00a0Javascript\u00a0code into their website which\u00a0consumes its visitors\u2019\u00a0CPU time\u00a0and energy\u00a0to mine XMR(Monero) for\u00a0Coinhive.\u00a0Coinhive, in return,\u00a0pays out some percentage of\u00a0the\u00a0mined value to website\u2019s owner. Our analysis At Quick Heal Security Labs, we noticed that\u00a0one of the proxy services\u00a0of a famous torrent search engine\u00a0called\u00a0Pirate\u00a0Bay was injected with\u00a0the\u00a0Coinhive\u00a0miner service. Fig 1\u00a0below\u00a0shows content\u00a0injected\u00a0into\u00a0the\u00a0Pirate\u00a0Bay webpage. Fig 1. Fiddler session screen-shot of Pirate Bay Website As per the\u00a0Coinhive\u00a0official information,\u00a0‘OT1CIcpkIOCO7yVMxcJiqmSWoDWOri06’ is the user site key and\u00a0the\u00a0throttle is used to limit the CPU usage. Below are the throttle levels. throttle: 0 – CPU\u00a0usage limit to 100% throttle: 0.3 – CPU usage limit to 80% throttle:\u00a00.5 – CPU usage limit to 50%-70% After accessing Pirate\u00a0Bay website, CoinHive.min.js\u00a0got\u00a0executed and started mining. The CPU usage reached\u00a0its limit as per its defined throttle level. In some websites,\u00a0it is defined as 0.5 so that particular instance of\u00a0a\u00a0browser will take 50%-70% of computation. Fig 2\u00a0shows the\u00a0CPU usage activity\u00a0of browser\u00a0and overall system\u00a0observed after accessing\u00a0the\u00a0Pirate\u00a0Bay website. Fig 2. CPU Usage after accessing Pirate Bay Another important thing observed in ‘CoinHive.min.js’ file is\u00a0the\u00a0use of\u00a0WebAssembly.\u00a0It specifically runs on\u00a0web\u00a0browsers. It is similar\u00a0to a\u00a0low-level assembly-like language which runs\u00a0with near native-performance which is a major factor to use web assembly in mining functionality implementation.\u00a0 Fig 3. WebAssembly module integration WebAssembly\u00a0uses\u00a0the\u00a0CryptonightWASMWrapper\u00a0web assembly hash function to generate hashes. It is an efficiently computable function which maps data of arbitrary size to data of\u00a0a\u00a0fixed size and behaves similarly to a random function. This mining activity is not malicious but it is running without\u00a0the\u00a0approval of\u00a0the\u00a0system owner and\u00a0consumes\u00a0CPU power which in turn slows down system performance. This bothers\u00a0the\u00a0user and hampers work\u00a0significantly. Quick Heal\u00a0detection Quick Heal has released generic detections to detect such in-browser\u00a0Cryptojacking\u00a0attacks. These generic detections\u00a0span\u00a0over multiple security layers in\u00a0our\u00a0products. Detection stats Quick Heal has successfully blocked\u00a0the\u00a0detected\u00a0Coinhive\u00a0miner activity. Below is the trend observed so far for\u00a0the\u00a0last\u00a0few weeks. Fig 4. Detection trend observed at Quick Heal Security Labs In-browser mining is really an\u00a0easy way to generate revenue for\u00a0website\u00a0owners\u00a0and for\u00a0mining service providers as well.\u00a0And like\u00a0Coinhive,\u00a0other service providers\u00a0like\u00a0JSEcoin,\u00a0MineMyTraffic,\u00a0CryptoLoot,\u00a0and\u00a0CoinNebula\u00a0are also taking part\u00a0in\u00a0it.\u00a0In-browser mining\u00a0is not\u00a0a\u00a0malicious activity but unauthorized mining and extensive CPU usage should not be permissible. Also,\u00a0compromising one popular website\u00a0could hamper many\u00a0users. Malware authors are using these mining services\u00a0to fulfill\u00a0their malicious needs.\u00a0We advise our users to\u00a0avoid\u00a0browsing suspicious\u00a0websites\u00a0and\u00a0keep\u00a0their\u00a0antivirus up-to-date to prevent\u00a0your\u00a0system from being\u00a0used\u00a0in\u00a0such mining\u00a0activities. References http:\/\/blogs.quickheal.com\/massive-campaign-delivering-monero-miner-via-compromised-websites-analysis-quick-heal-security-labs\/ http:\/\/blogs.quickheal.com\/beware-fake-cryptocurrency-mining-apps-report-quick-heal-security-labs\/ Subject Matter Expert Prashant Kadam | Quick Heal Security Labs The post In-browser Cryptojacking at full throttle – A report by Quick Heal Security Labs appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Prashant Kadam| Date: Tue, 23 Jan 2018 06:38:43 +0000<\/strong><\/p>\n

Cryptocurrencies like Bitcoin,\u00a0Monero, Ethereum,\u00a0Litecoin,\u00a0and\u00a0Tezos\u00a0are in\u00a0full\u00a0swing.\u00a0And they have exponentially increased\u00a0cryptocurrency mining\u00a0(or\u00a0cryptomining)\u00a0activities. Previously,\u00a0cryptomining\u00a0was carried out by powerful and dedicated mining hardware or by utilizing distributed computing because\u00a0the\u00a0entire process requires\u00a0a\u00a0lot of computation. However,\u00a0there has been an observable change in the mining trends.\u00a0Now, web browsers are taking part in\u00a0cryptomining\u00a0and its activity is growing because…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[17250,11052,16415,3764,16398,10538,714],"class_list":["post-11199","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-conhive","tag-cryptocurrency","tag-cryptojacking","tag-malware","tag-miner","tag-monero","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11199"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11199\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}