Qualys BrowserCheck CoinBlocker Protects Users From Active Cryptojacking Campaigns


Qualys Malware Research Labs recently released the [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome Extension. We have seen enthusiastic adoption from users across the globe in the first week since its release, which has given us enough telemetry data to indicate success in protecting users from popular cryptojacking attacks. This blog post details these detection statistics and analyzes a few interesting cryptojacking campaigns uncovered by Qualys BrowserCheck CoinBlocker. ### About Qualys BrowserCheck CoinBlocker Qualys BrowserCheck CoinBlocker protects users from browser-based coin-mining attacks. Along with blacklisting & whitelisting of domains, it also supports advanced JavaScript scanning to identify & block malicious JavaScript functions. The extension can also identify & block malicious coin-mining advertisements loaded inside iframes by third-party ads. Download [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) for free! ### Qualys BrowserCheck CoinBlocker Detection Statistics The world heat map below shows the geographical distribution of mining threats as a percentage of detections blocked by Qualys BrowserCheck CoinBlocker. The Top 5 countries where mining threats are detected and blocked are Bulgaria (33%) topped the list followed by India (18%), the United States (16%), Argentina (10%) and Thailand (9%). ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig1-600x372.png) Fig-1: The mining threats detected by Qualys BrowserCheck Coinblocker Qualys BrowserCheck CoinBlocker makes use of not only traditional domain-based blacklisting but also heuristics and script-based detections, and those detections account for more than 50% of total matches. The following figure displays the distribution of detection techniques used by Qualys CoinBlocker to identify mining threats. The numbers demonstrate CoinBlocker’s ability to provide a range of detections to our users rather than relying on simple domain blacklists, a technique commonly used by other similar extensions. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig2-600x344.png) Fig-2: Qualys BrowserCheck CoinBlocker Detection Techniques Distribution ### Uncovering New Cryptojacking Campaigns After analyzing the telemetry data collected by BrowserCheck CoinBlocker in its first week since release, researchers at Qualys have discovered some interesting cryptojacking campaigns. We did additional research into three of them to illustrate some different threats that BrowserCheck CoinBlocker can protect against. ### Campaign #1: Tale of a “Friendly CryptoMiner” The Korean website _[ redacted ]mart[.]co[.]kr_ is an online shopping portal that sells barcode scanning devices. We observed that the website is infected with two Monero mining mechanisms - one using the Photominer library and the other using the browser-based CoinHive library. The home page for this site is injected with an _iframe_ just before the HTML _title_ tag that references the _Photo.scr_ file. _Photo.scr_ is a cryptomining trojan that installs components to mine Monero cryptocurrency. At the time of investigation, the Monero miner component was not found on the infected server. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig3.png) Fig-3: _iframe_ for Monero CryptoMiner The second infection is a script tag injected at the end of web page that acts as a gateway to CoinHive mining payload as shown in below figure. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig4.png) Fig-4: Script acts as a gateway for Coinhive CryptoMiner The script _ghastly[.]js_ contains code which converts UTF-16 encoded url to load a JavaScript component remotely hosted at _< 6 random characters>[.]adfrend[.]com/friendly[.]js_. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig5-600x129.png) Fig-5: Content of script _ghastly[.]js_ The _friendly[.]js_ script (Fig-6) actually loads the CoinHive library and starts the mining activity. It uses the **_Yhq8T4J346CyN0xRMUg6ylylnLIMtqLi_** sitekey for cryptocurrency mining. It has the _throttle_ parameter set to 0.2 which means it would consume up to 80% of CPU resources on the victim’s computer_._ ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig6-600x155.png) Fig-6:_ friendly[.]js_ hosted at _adfrend[.]com_ ### Campaign #2: Online Proxy Service Pushing Crypto-Miner _Crushus[.]com_ or _curd[.]io_ is an online proxy service popular for accessing blocked and censored websites. These services are popular among users to access torrent, social media and gaming sites that are blocked by security policies in enterprise environments or legally banned in some countries. [SimilarWeb](<https://www.similarweb.com/website/crushus.com#overview>) statistics show that _crushus[.]com_ has more than 2 million total visits and it is ranked at 37,536 in [Alexa](<https://www.alexa.com/siteinfo/crushus.com>) Top 40K websites Global Ranking. As highlighted in Fig-7, the _Crushus_ service lures users by promising to provide access to the censored or blocked websites for free. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig7-600x445.png) Fig-7: _Crushus_ proxy webpage When a user opens any website through _Crushus_ proxy service, the proxy server injects the visited web page with code which loads the browser-based cryptocurrency miner. Nothing is really free in this world! Fig-8 below shows the cached Facebook homepage with injected advertisement as rendered by the proxy service. When users enter their login credentials on this fake webpage, they land on another advertisement page instead of the actual Facebook page, eventually resulting in credential theft and cryptojacking! A lot of free proxy services are notorious for exploiting unsuspecting users by showing unsolicited advertisements, running phishing campaigns and now cryptojacking. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig8-600x330.png) Fig-8: _Crushus[.]com_ proxy service loads a Facebook page with cryptominer injected The proxy service injects its cached web page with code that triggers browser-based Cryptominer. The miner uses the **_loYznHxHRM2eZ461L3Vt64ezvjcaUsq5_** sitekey for mining. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig9-600x265.png) Fig-9: CryptoMiner code injected in cached _facebook[.]com_ webpage ### Campaign #3: “ThePirateBay” is Back in the Game ThePirateBay (TPB) is the world's largest peer-to-peer file-sharing website. It uses the Bittorrent indexer for big and fast file transfers and was [in the news a year ago](<https://www.bleepingcomputer.com/news/security/psa-the-pirate-bay-is-running-an-in-browser-cryptocurrency-miner-with-no-opt-out/>) when it opted to monetize through browser-based JavaScript Monero miners instead of displaying advertisements. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig10-600x351.png) Fig-10: _ThePirateBay_ blog post from a year ago A year later, ThePirateBay is still actively using cryptojacking! As shown in Fig-11, the note displayed on its home page warns user about the browser-based CryptoMining activity for usage of its services. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig11-600x301.png) Fig-11: _ThePirateBay _warns user about usage of CryptoMiner Fig-12 below shows the code, TPB service uses it in its website that spikes CPU cycles by 10-20% and connects using **_37efd635d0ec154de4d0b17dd1952aa3b5e88acd6bbe_** CoinHive sitekey. ![](https://blog.qualys.com/wp-content/uploads/2018/08/fig12-600x89.png) Fig-12: CryptoMiner code in _ThePirateBay_ site ### Conclusion**:** Monero is likely to remain attackers’ favorite cryptocurrency for its easy integration, privacy and anonymity features. It offers new revenue streams to fund their future attacks. In the coming months, we expect to witness the widespread adoption of cryptominers in exploit kits and using malvertising delivery mechanisms. They will likely continue to evolve, using various obfuscation techniques to evade detections. As we continue to research online threats, we are also uncovering more in-the-wild cryptojacking campaigns that are targeting vulnerable websites or are being delivered through _free_ services like online proxies, peer-to-peer file-sharing websites or adult websites. The statistics shows CoinBlocker protected 22% unique users from at least one cryptojacking attack. This translates to 1 in 5 users who will likely come across a website that cryptojacks. So we advise our users to install [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) extension to stay protected from cryptojacking attacks.