Cryptojacking, a compound word for Cryptocurrency and Hijacking, is a cybercrime where an attacker uses malicious links to lure victims into a website that loads cryptomining Javascript, infects their computers, and then uses their resources to mine cryptocurrency. The number of malicious mining codes installed without the userโs knowledge has rapidly increased. As a result, companies affected by this type of attack could experience network disruptions and face excessively high fees for cloud services.
Using browser-based cryptocurrency mining, attackers can easily infect a system with just a few lines of Javascript. CoinHive and DeepMiner are commonly utilized tools by hackers for this purpose. While the incidence of cryptojackings through these miners has decreased, the Criminal IP Team has discovered that many PCs remain infected.
How to Search for CoinHive Miner on Criminal IP Asset Search
When searching for โCoinHiveโ using Criminal IP Asset Search, 14,590 IP addresses are displayed, all of which may be considered infected servers. The search result suggests that different web applications like WordPress, Magento, and Drupal are infected by these malicious codes and exploited to mine cryptocurrency.
The way the CoinHive miner operates, primarily mining Monero (XMR), is by running Javascript code once a user accesses an infected website. It then utilizes the userโs available CPU power to start cryptocurrency mining. If there are 10 to 20 active miners on a server, they can expect to make an average monthly profit of about 0.3 XMR (~$109).
The following are the keywords we used to look for CoinHive Miner.
Result when searching for the keyword โCoinHiveโ on Criminal IP Asset Search
A website infected by CoinHive Miner
The image below is a Javascript code accessing the CoinHive server.
The default name for the CoinHive JS library files isย โcoinhive.min.jsโ, although it may sometimes be used with different names. To obtain the most accurate results on Criminal IP, it is essential to confirm the presence of theย โCoinHive.Anonymousโ string.
Javascript code that runs CoinHive Miner
You can find the domain address of the CoinHive mining pool as well. Currently, this website cannot be reached.
How to Search for DeepMiner on Criminal IP
DeepMiner, another popular cryptominer, is also an open source Javascript-based miner to mine cryptocurrencies like XMR and ETN. The filter to look for DeepMiner is similar to the one used for CoinHive and with this, you can search for about 50 websites on Criminal IP Asset Search.
Result when searching for the keyword โdeepMiner.Anonymousโ on Criminal IP Asset Search
A website infected by DeepMiner
One unique thing about DeepMiner Javascript source code is that its Javascript library name isย โjqueryeasyui.jsโ which is similar to the jQuery library name. This causes confusion and makes it difficult for the public to detect.
Javascript source code that runs DeepMiner Bot
How to Search for Crypto-Loot Bot on Criminal IP
Crypto-Loot is a mining bot that competes with CoinHive. When searching for the keyword โCRLT.Anonymousโ on Criminal IP Asset Search,ย 1,209 results are displayed, but many of these servers have a 403 forbidden status for their server code.
Result when searching for the keyword โCRLT.Anonymousโ on Criminal IP Asset Search
As 403 Forbidden sites do not provide much information, it is recommended to narrow the search results to onlyย 200 OK servers to find the infected servers.
Search result after narrowing down to only 200 OK Crypto-Loot miners
Javascript source code that runs Crypto-Loot Miner Bot
How to Search for CoinIMP Bot on Criminal IP
CoinIMPย is a browser-based cryptocurrency mining script that can be installed on vulnerable Drupal websites by infecting their index.php files. Once installed, it starts mining cryptocurrencies when visitors browse the websiteโs main page. When searched on Criminal IP Asset Search, 389 sites were found.
Javascript source code that runs CoinIMP Bot
CoinIMP Miner is different from previously mentioned mining bots in that its JS file names are always randomly generated, making it difficult to detect using simple file names. In addition, CoinIMP Miner is particularly concerning because it can consume up to 30% of a victimโs CPU resources, which is much higher than other cryptojackings.
Javascript source code that runs CoinIMP Miner Bot
The JS file name that loads CoinIMP Miner is randomly generated, making it irregular in form.
Recently, there have been reports of malware calledย โDenoniaโ that installs a CryptoMiner in AWS cloud environments. Although it is uncertain whether the following website is infected byย Denonia, a message believed to be left by a hacker was found on Criminal IP.
AWS ECS container with installed CryptoMiner
It is possible thatย Amazon ECS (Elastic Container Service)ย has been infected by the installation of Coin Miner. This may have been done through the functionalities ofย AWS Lambda, a serverless computing platform provided by AWS that can run applications or functions without actually using servers.
Screenshot of a website after installing a miner in an ECS container using AWS Lambda
Cryptojacking is a silent cybercrime that can seriously affect individuals and companies. Attackers use malicious links to infect computers with cryptomining Javascript, using the victimsโ resources to mine cryptocurrency without their knowledge. Unfortunately, browser-based cryptocurrency mining has made it easy for attackers to infect systems with just a few lines of code, and commonly utilized tools like CoinHive, DeepMiner, Crypto-Loot, and CoinIMP have caused widespread infections. However, tools like Criminal IP Asset Search can help individuals and companies detect these mining bots and protect their systems from further attacks. Therefore, it is important to remain vigilant and regularly check for the presence of these mining bots on your systems to ensure the security of your personal and business data.
Source : Criminal IP