Beware of Browser Mining (detection/blocking)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Beware of Browser Mining
February 19, 2018, 0 Comments

Guess what? There’s a new kind of mining for digital currency emerging in the marketplace. It’s called “browser mining” and it works something like this. User visits web page; web page downloads mining widget; mining widget runs on user system generating hashes (and ultimately, spendable digital coins) for the web site operator. That sounds fair, right? WRONG! But unless you take steps to prevent this kind of thing, it could happen to you.

How to Detect Browser-Based Bitcoin Mining
As the global run on high-powered graphics cards attests, hashing for digital currency takes LOTS of computing resources. That’s why many users are reporting noticeable lags in performance on PCs where the bitcoin mining widgets take up residence. Let me introduce a new term in the interests of brevity and accuracy: I’d like to call this “bit-mining” because bitcoin is not the only digital currency for which hashing is rampant, and also because it’s shorter and easier to say and understand.

According to this story on Addictive Tips entitled “How to Block Bitcoin Mining in your Browser,” a variety of symptoms should raise flags with users that they may have fallen afoul of a bit-mining widget:
....
......
...
......


Blocking Bit-Miners from Your Browsers
One class of tools is available to help you fend off those who’d like to suck up your users’ computing resources. Chrome supports three such extensions — namely, minerBlock, No Coin and No Mining. Other browsers offer similar methods for blocking mining directly inside them (Firefox, for example, also supports No Coin). YMMV when it comes to this kind of thing, and it must be handled on a per-browser basis.

TenForums.com member Cliff S offers details on another way to block bit-miners: add them to the HOSTS file to block their ability to access your PC. This basically works by assigning the null IP address (0.0.0.0) for domain names associated with known mining sites. The TenForums thread is entitled “Protecting Yourself from In-Browser Miners” and is well worth digging into. Cliff even explains how to edit the HOSTS file, and where to go to get the best block-list (namely CoinBlockerLists).

This is a new form of protection about which admins and security professionals should be aware. If you have some kind of endpoint protection in place, it’s time to contact the vendor and ask them if (and if so, how) their package provides protection against bit-mining. It’s a thing now, and a potentially productivity-pounding problem if left unchecked. My advice: better to deal with it sooner, rather than later!
 

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Cyripto Currency is bad thing the long run. At least I hope as I never have invested in any all. Seemed quick coins ETC seemed a just daft idea at starert up but these brave new ventures. ;):)

So will it all collapse or have a bright fiture. :coffee::whistle::)
 
Last edited:
D

Deleted Member 3a5v73x

No Coin doing a nice job here (y)
You think that filter is needed for G Data users since Web protection can pretty well detect coin miners? Have you encountered some slipping by and found a need for additional filter? :rolleyes:
gd.PNG
 

Electr0n

Level 4
Verified
Well-known
Feb 19, 2018
182
Cyripto Currency is bad hing the long. At least I hope as I never have invested in any all. Seemed quick coins ETC seemed a just daft idea at starert up but these brave new ventures. ;):)

So will it all collapse or have a bright fiture. :coffee::whistle::)
It will collapse. In the long run, it's going to harm the economy. Either it has to be regulated like share trading or it has to be banned.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
there is no need to install nocoin because you can add nocoin filters into ublock. Installing extra extension just increase resource usage (although not significant).
1/ Your AV can also partially protect against coinmining
2/ Norton DNS can protect
3/ add these following filters to your ublock, they can be even better than nocoin extension alone
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt

https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
 
Last edited:

Electr0n

Level 4
Verified
Well-known
Feb 19, 2018
182
there is no need to install nocoin because you can add nocoin filters into ublock. Installing extra extension just increase resource usage (although not significant).
1/ Your AV can also partially protect against coinmining
2/ Norton DNS can protect
3/ add these following filters to your ublock, they can be even better than nocoin extension alone
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
thank you, this was exactly what I was asking for.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
there is no need to install nocoin because you can add nocoin filters into ublock. Installing extra extension just increase resource usage (although not significant).
1/ Your AV can also partially protect against coinmining
2/ Norton DNS can protect
3/ add these following filters to your ublock, they can be even better than nocoin extension alone
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
The last link is added to the host file or to uBlock Origin? Examples extracted and shown below

0.0.0.0 2giga.link
0.0.0.0 2k20.tk
0.0.0.0 2miners.com
0.0.0.0 2miners.ru
0.0.0.0 300ca0d0.space
0.0.0.0 310ca263.space
0.0.0.0 320ca3f6.space

The format looks not suitable as txt file
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
The last link is added to the host file or to uBlock Origin?
yes, there are 2 links
the first link contains generic adblock rules, which can block un-blacklisted future coinminers
the second link contains hosts, malicious websites which utilize coinmining (exp: thepiratebay.cr)

EDIT: ublock origin also supports hosts format (127.0.0.1 or 0.0.0.0)
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
The Growing Trend of Coin Miner JavaScript Infection

1. CharCode JavaScript
On 6th December 2017, FortiGuard Labs discovered a compromised website - acenespargc[.]com. Looking into the source code, we noticed a suspicious encrypted script which the uses eval() function to convert all the characters into numbers. We used a tool called CharCode Translator to reverse the numbers back into characters. We were then able to retrieve a link which redirects to a scam page or phishing website.

Coin%20Miner%20JavaScript-Picture1.png


Part 1



Coin%20Miner%20JavaScript-Picture2.png


Part 2

The above is just a simple example. The threat actor can actually customize the phishing content by geographical location, and to better avoid detection, it will also disappear when it detects that you have visited the phishing page before.

Using this technique, threat actors are able to hide malicious/phishing/advertising URLs from being seen with the naked eye.

As you will see below, this technique has now been adopted by threat actors to hide Cryptocurrency mining JavaScript in compromised websites, so that whoever visits the website will be “infected” and their computer will start cryptomining for the threat actor. We classify this activity as malicious because it uses other people’s resources without their permission.



2. Packer tool hides CoinHive script
On the 28th of December, FortiGuard Labs learned about another malicious website using the very obfuscation technique we described above – romance-fire[.]com – through a referral from a customer. This website contained obscured malicious code for cryptocurrency mining.

We uncovered the encoded script, and by using the packer tool to unpack it, we found the script has a connection to CoinHive.


Coin%20Miner%20JavaScript-Picture3.png


JavaScript from the source code


Coin%20Miner%20JavaScript-Picture4.png


Unpacking the JavaScript – Part 1

We noticed that the URL (hxxp://3117488091/lib/jquery-3.2.1.min.js?v=3.2.11) didn’t seem like a valid IP or domain. We did some research and found that ‘3117488091’ is the decimal IP of 185.209.23.219 after we converted it at KLOTH.NET. Below is the result:

Coin%20Miner%20JavaScript-Picture5.png


This site converted the URL to hxxp://185.209.23.219/lib/jquery-3.2.1.min.js?v=3.2.11. From the URL, we retrieved the same pattern of JavaScript, so we unpacked the Script again.

Coin%20Miner%20JavaScript-Picture6.png


Unpacking the JavaScript – Part 2

After a final round of unpacking, we were finally able to retrieve the script that contains CoinHive URLs:

Coin%20Miner%20JavaScript-Picture7.png


Unpacking the JavaScript – Part 3

3. Coin miner from GitHub
On 26th January 2018, we discovered another website – sorteosrd[.]com – which also mines cryptocurrency by hijacking a visitor’s CPU. This cryptomining malware again allows hijackers to benefits from mining digital currency without the computer user’s permission. We believe that this site might have been compromised or used by the webmaster.


Coin%20Miner%20JavaScript-Picture8.png


Source code of the website hxxp://sorteosrd.com:



Coin%20Miner%20JavaScript-Picture9.png


Impact of surreptitious cryptomining on user’s device

As we can see from the screenshot above, coin miner dramatically slows down the PC as its CPU is fully utilized after visiting the site.

4. Compromised website – BlackBerry infected with CryptoCoin mining
Another example of a CoinHive script was found at a surprising compromised website – blackberrymobile.com.

Coin%20Miner%20JavaScript-Picture10.png


Coin%20Miner%20JavaScript-Picture11.png


Even the Blackberry site was compromised for a short time to mine for Monero cryptocurrency.

5. Compromised website – Milk New Zealand infected with deepMiner tool
In addition, we also discovered that one of the largest dairy farm groups in New Zealand, Milk New Zealand, had also been compromised. Our AV lab detected malicious activity from the site, so we look into the source code and found a script using the deepMiner tool at github to Mine Monero, Electroneum, Sumokoin, etc. See the screenshot below:



Coin%20Miner%20JavaScript-Picture12.png


JavaScript using deepMiner

Based on the data in the screenshot above, we learned that this kind of script uses DDNS for its domain and only increases CPU usage by 50% in order to be less noticeable to end users.

6. Even YouTube serves ads with coin mining
The problem of cryptocurrency-mining malware is getting serious. As the number of threat actors looking to earn from cryptomining by hijacking CPU cycles continues to grow, cryptomining malware is showing up in more and more places. A week ago, several malicious ads popped up on YouTube after a threat actor managed to inject a coin miner script into online ads. Luckily, YouTube found the issue and removed the affected ads within two hours.



Coin%20Miner%20JavaScript-Picture13(1).png


Malicious cryptomining YouTube ads

What can you do to prevent or avoid Coin Miner hijacking?

  1. Clear your browser cache, or install ccleaner software to find and remove unwanted files and invalid Windows Registry entries from your computer
  2. Disable JavaScript in your browser or run a script blocker tool or extension
  3. Install Antivirus software such as FortiClient
  4. Install and run AdBlocker or similar tools, such as Ghostery
FortiGuard has blacklisted all the URLs listed in this blog as Malicious.

IOCs:
Compromised Websites:

  • acenespargc[.]com
  • www[.]romance-fire[.]com
  • milknewzealand[.]com
Newly observed coin mining URLs:

  • hxxp://coinhive[.]com
  • hxxp://minerhills[.]com
  • hxxp://crypto-webminer[.]com
  • hxxp://sorteosrd[.]com
  • hxxp://greenindex[.]dynamic-dns[.]net
  • hxxps://github[.]com/deepwn/deepMiner
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
there is no need to install nocoin because you can add nocoin filters into ublock. Installing extra extension just increase resource usage (although not significant).

Thanks for that information @Evjl's Rain, i have both but didn't realise you could add filters to ublock.
Luckily i have never had any notifications from no coin about mining up until now but whoever creates these extensions are doing a wonderful job for us.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
yes, there are 2 links
the first link contains generic adblock rules, which can block un-blacklisted future coinminers
the second link contains hosts, malicious websites which utilize coinmining (exp: thepiratebay.cr)

EDIT: ublock origin also supports hosts format (127.0.0.1 or 0.0.0.0)
I'm using Nano AdBlocker. Does it also supports host formats (127.0.0.1 or 0.0.0.0)?

Thanks
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top