Coinhive: Innovative but Abused

Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.

Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.

Despite the negative user feedback experienced by the Pirate Bay, the creators of Coinhive developed an innovative piece of code which is forward thinking. Sadly such thinking has already been abused by cybercriminals to mine Monero without the victim’s consent. This is another chapter in the rise in popularity in what is termed by researchers as “cryptojacking”.

 coinhive innovative but abused

Authors of Safebrowser begin abuse of Coinhive

Users, over 140,000 of them, who use Safebrowser, a chrome extension, noticed that upon opening their browser with the extension installed their CPU usage was driven through the roof. It obviously noted by user’s when they saw a massive performance in drop on their system. This resulted in complaints been made and further research be conducted by third parties. Upon a basic evaluation, it could be easily seen that the author had added the Coinhive java library. In this instance as soon as the user’s browser was opened the add-on would begin mining Monero, unlike the original intent of the creators of Coinhive to only mine once a website was visited and end once the visitor left said website. A clear abuse of Coinhive.

Another instance of abuse can be found in a number of CPU resources hijacked for mining. According to research done by writers at Bleeping Computer, once they began testing the extension it was quite quickly noticed that that the hijacked resources amounted to a massive percentage of the overall performance. Upon opening the extension they discovered that Task Manager froze. Once Task Manager began to operate it reported that the extension was using a massive 60% of the CPU resources available.

Safebrowser is still available for download but with no mention on their website or within the privacy policy of the inclusion of the Coinhive library. In Bleeping Computer’s published article regarding the matter, they reached out to the authors of Safebrowser for a response, to which they responded, “Unfortunately we have no knowledge, apparently has been a hack. I'm currently researching, I have already contacted the Google team. The extension has not received an update for months, so I do not know what it's all about.” Given Safebrowser’s less than spectacular past with abusing extensions if you take this response with a pinch of salt you would be forgiven.

Typosquatted domains and hacked Wordpress sites followed

In another cunning instance, someone registers the domain name twitter.com.com and embedded the Coinhive library onto the website, thus anybody who misspelled the address they were intending to go, in this case, Twitter, would be directed to the above domain and Monero would be mined for the seconds it took to realize their mistake. If the person began to register more domain based on the same idea it is more than possible to generate a tidy profit.

Researchers at Sucuri then discovered that Wordpress website had been hacked to include the Coinhive miner. Not only were Wordpress websites modified to include the miner but Magento websites as well. While the use of crypto jackers may be relatively new the vectors of attack are not. Hackers are still using the tried and tested methods to deliver malicious payloads. This, in turn, means they can be detected even if the change in CPU performance seems unnoticeable. However, in most instances, it will be the obvious drop in performance that will serve as a key indicator in determining if a miner has been deployed on the system.

Not to left out of the cryptocurrency party, one of the biggest maladvertisers has also begun to use Coinhive in additional to their stock adware, according to researchers at TrendLabs. Malicious ads would direct users to bogus tech support websites embedded with the miner which would mine Monero while the user figured out if the website was legitimate or not.

The year of cryptocurrency miners

While still a relatively new method of extorting money, the popularity of employing such methods has risen dramatically. Kaspersky reported that it has seen over 1.65 million computers infected with a miner of one sort or the other. IBM has also reported a spike in miners installed on enterprise networks. So far in 2017, 16 distribution campaigns have been detected spreading cryptocurrency miners. Amazon, CS:GO, and Linux have been some of the prominent names affected by such campaigns. Given the increasing popularity of cryptocurrencies and the almost zero-sum game for hackers wishing to deploy miners, users can expect to see a massive surge in such campaigns.

The following is a list of campaigns for the calendar year so far:

  • Terror Exploit Kit dropped a Monero miner back in January
  • Even some Mirai botnet variants tested a cryptocurrency mining function
  • Adylkuzz cryptocurrency miner deployed via EternalBlue NSA exploit
  • Bondnet botnet installed Monero miners on around 15,000 computers, mostly Windows Server instances
  • Linux.MulDrop.14 malware mines for cryptocurrency using Raspberry Pi devices exposed online
  • Crooks targeted Linux servers via SambaCry exploit to deploy EternalMiner malware.
  • Trojan.BtcMine.1259 miner uses NSA's DobulePulsar to infect Windows computers
  • DevilRobber cryptocurrency miner became the second most popular Mac malware in July
  • Linux.BTCMine.26, a Monero miner that included references to Brian Krebs in its source code.
  • CoinMiner campaign that used EternalBlue and WMI to infect users
  • Zminer trojan found infecting Amazon S3 servers
  • CodeFork gang used fileless malware to push a Monero miner
  • Hiking Club malvertising campaign dropped Monero miners via Neptune Exploit Kit
  • A CS:GO cheat that delivered a Monero miner for MacOS users
  • Jimmy banking trojan adds support for a Monero miner
  • New Monero miner advertised via Telegram

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal