Tejas Girme & Rishikesh Bhide of Qualys Malware Research Labs present “New Frontiers in Cryptojacking” at the 21st Anti-Virus Asia Researchers International Conference (AVAR) 2018 in Goa, India.
Cryptojacking attacks are evolving over time to better evade detection by both end users and protection technologies. It’s therefore important for security teams to understand how these attacks work so they can best protect their system resources. In a recent talk at AVAR 2018, Qualys Malware Research Labs presented an analysis of several evasion techniques used by attackers to deliver the Cryptojacking code to web browser and how existing protection technologies stack up against them.
CoinHive was the first browser-based CryptoMining service provider. They made it possible to enable browser-based mining on a website by embedding just a few lines of code. Adversaries seized this opportunity and Cryptojacking attacks became prevalent.
A simple protection against these attacks by blacklisting domains which are hosting CryptoMining scripts. This was achieved with ease by blocking access to such domains through IPS.
In order to evade domain-based detection, attackers then adapted approaches like proxies and URL randomization to bypass firewall rules. Attackers also leveraged legitimate content delivery services like Github & Pastebin to host coin-mining scripts.
Figure 2 displays a code snippet from an actual attack, where the proxy domain acts as a gateway for delivering the mining payload.
Figure 2: Website loads script hosted on a proxy server.
As a large number of proxy domains is created every day, it became impossible to keep on updating Firewall/IPS rules. This problem was addressed by web browser extensions to protect against Cryptojacking attacks. Some of the early extensions were ‘No Coin’ & ‘MinerBlock’. These extensions relied mainly on crowd-sourced blacklists comprising domains & urls hosting CryptoMining scripts (e.g. ‘nocoin-list’).
Figure 3 below shows an example of how obfuscated miner code was hosted behind the proxy server.
Figure 3: Website loads obfuscated script hosted behind the proxy server.
Attackers often utilize the full power of the CPU to maximize revenue generated from mining activity. This allowed AV engines to make use of behavior-based signatures to identify mining activity by monitoring CPU usage pattern of every browser instance. AV can terminate a browser instance which is performing CryptoMining.
To remain completely stealthy from both users & detection technologies, the attack techniques also evolved. Instead of utilizing 100% CPU each time, they started to randomize CPU consumption in the range of 40-80% to ensure there is no visible performance impact for the user. This approach reduced the revenue generated per user to some extent, but it allowed them to run campaigns for a longer duration without getting detected.
Figure 4 highlights the configurations used to control the amount of CPU consumption while mining. Throttle 0.2 means it will consume 80% of CPU resources for mining activity.
Figure 4: Cryptojacking code makes use of a throttling parameter.
For more details and examples of attacks using these techniques, please see our previous blog post, Tale of a Friendly CryptoMiner.
Based on our research, Qualys Malware Research Labs developed a free Chrome Web browser extension Qualys BrowserCheck CoinBlocker.
As new attacks emerge, our R&D team analyzes them and devises new detection techniques that are then incorporated into the new update of the extension. We ensure that our users are always protected against these new attacks.