After Bitcoin hit highs above $19,000 in December, cryptocurrency has received even more attention as speculation about the currency continues. It should be no surprise then that there has been a rise in cryptomining activity. Cryptomining is “the process by which transactions are verified and added to the public ledger, known as the block chain, and also the means through which new bitcoin are released. Anyone with access to the internet and suitable hardware can participate in mining.” Source: Investopedia
But it is also possible to mine cryptocurrency without running a dedicated application on a computer that you access or control. Web-based methods allow website operators to use scripts to mine cryptocurrency within a browser, using the resources of the website visitor. We reported on the rise of this in our October 2017 blog, where our Zscaler ThreatlabZ research revealed the sudden interest and growth in web-based monetization towards coin mining.
As we have continued to monitor the trend in 2018, the volume of cryptomining transactions has grown. In the last six months we have blocked more than 2.5 billion cryptomining attempts. We’ve been actively monitoring the trend and believe this can be explained by the following developments:
- Given the sharp increase in value of cryptocurrency, legitimate sites are adopting cryptomining as a source of revenue over online advertisement. These sites will offer visitors a choice between seeing ads or being mined in order to view the site content.
- In some cases, malicious advertisements are being leveraged for browser-based cryptomining activities.
Enterprise networks are being impacted in various ways. Unwanted and unidentified mining activity inside networks causes increased wear and tear on corporate hardware, as the mining increases CPU cycles. Mining activity also hogs corporate network bandwidth and causes performance issues.
In this blog, we will cover the trends and technical details of the top five cryptominers based on the volume of transactions we are seeing along with recent statistics.
In the last six months, Zscaler successfully detected and prevented approximately 2.5 billion web-based coin-mining attempts in the Zscaler cloud. The following is graphical representation of coin-mining attempts, showing CoinHive as the most active cryptominer service, which is not all that surprising when you consider that CoinHive was first to commercially launch a browser-based cryptomining service in September 2017.
Fig. 1 - Cryptomining attempts by top-performing cryptomining service types between October 2017 to March 2018
Zscaler ThreatLabZ observed an increase in cryptomining among the top 100,000 sites globally according to ranking by Alexa. The following is a breakdown by category of close to 500 of Alexa top 100K domains with embedded cryptomining web service that were not involved in serving any other malicious content.
Fig. 2 - Category distribution of Alexa top 100k sites with embedded cryptomining
As you can see, the category of domains that were used most for browser-based mining activity include nudity/pornography followed by streaming media. The average browsing time for users on video streaming sites tends to be higher allowing miners to maximize their activity as users stay on these sites to view movies or play games. Note that the professional services and marketing category sites ranked high as well, demonstrating the prevelance of mining activity on corporate networks.
This new web-mining trend has attracted a few more crypto-miner players into the market. Zscaler has successfully blocked all mining attempts from these new players and continues to actively track their activities. That said, we are certain that there will continue to be new players that will garner more market share.
We will share new trends in web-based crypto-miners through regular updates. Now, let’s jump into the technical details to see what's going on under the hood.
Basics on web-based coin-miner:
Fig. 3 - Browser-based cryptomining activity workflow
Technical details of the top 5 cryptominers:
The de-obfuscated code contains a non-dotted decimal IP address, which translates to 22.214.171.124 and miner key NPRak9QU4lFBSneFt23qEIChh5r0SZev.
The following is a Fiddler (web debugging software) capture of CoinHive transactions:
This web-based miner has gained some popularity among attackers and malicious website owners. We expect to see a significant rise in the use of Crypto-Loot in the near future. This is partly due to this miner’s price. It has a 12% service charge, which is very low compared to the 30% charged by CoinHive, and is likely to boost Crypto-Loot’s adoption.
In the following Fiddler image, we can see that texas-register[.]com redirects to crypto-loot.com to initiate mining activity.
Fig. 7 - Redirection to Crypto-Loot
Fig. 8 - JSE-Coin embedded in the website’s server
The following Fiddler screen shows the transaction in which the affected website leads the visitor to jsecoin[.]com to kickoff coin mining activity.
Fig. 9 - Leading the user from one website to the JSE-Coin site
Fig. 10 - DeepMiner embedded in website
The following are Fiddler transactions of a website that has embedded DeepMiner.
Fig. 11 - Transactions that move the user to DeepMiner for cryptomining
Currently, Minr has a pretty thin adoption compared to other crypto-miners. To embed Minr in the website, the developer provides the API. The following is the API syntax:
- Trl : Throttle of worker (CPU usage)
- sc : Referer check
The following domains are involved in the Minr cryptomining service:
Let’s look at a sample to explain Minr in more detail. In the following infection, eldiariodetandil[.]com is a domain that has Minr embedded, where static-cnt[.]bid is used as a Minr web-service, and the random capital letters in part of the URL are an API key.
Fig. 12 - Site embedded with Minr
Fig. 13 - Obfuscated Minr script
The de-obfuscated content is shown below.
Fig. 14 - De-obfuscated Minr content
Cryptomining activity around the world:
Cryptomining activity is taking place worldwide, but the U.S. leads in both, cryptomining users and in the hosting of servers that are involved in mining activity. In fact, U.S. numbers in both categories are more than double that of the next country on the list. As you can see in the map below, all the users in Europe combined still amount to fewer users than those in the U.S., and the number of servers in the U.S. are more than twice that of the number in Russia.
Fig. 15 - One month sample of the top 10 countries with cryptomining users and servers
It is clear that cryptomining is not going away and that it is increasing exponentially in popularity. However, the practice, whether done with permission or not, raises many questions, particularly in ethical terms and compliance requirements and practices. Corporations that unknowingly have cryptomining activities taking place on their networks may be at risk of compliance violations in that there is unidentified action taking place on company systems. There are also ethical questions, such as whether or not site owners that have granted permission for their site to be cryptomined are responsible for notifying and educating site visitors on how their systems will be affected by this activity. Regardless, both enterprises and consumers suffer the same effects of cryptomining, including added CPU cycles, increased power use, and hardware erosion.
As is the case with many new technologies, we are in limbo when it comes to regulation and disclosure requirements for cryptomining. However, one small city has taken the first step in regulation. Plattsburgh, New York, has banned cryptomining for 18 months in an effort to stop the enormous energy usage the practice takes. We will most likely see more cities and states follow suit.
Attackers always aspire for quick and easy ways to generate revenue, and in-browser coin-mining is lucrative and less intrusive to the victim. To protect yourself, there are a few things you should do to avoid in-browser coin-mining activities like the ones we’ve discussed here.
- Watch out for a sudden spike in memory use that causes the PC to become slow
- Block the aforementioned coin-mining domains
Zscaler ThreatlabZ is actively tracking various web based mining services and ensuring coverage for it under Cryptomining threat category.