Study: Coinhive Miner Earns $250,000 in Monero in a Month

How Coinhive works and how it was exploited

Coinhive is a basic cryptocurrency miner that website administrators or operators can embed into their websites. When users visit sites that host the Coinhive miner, JavaScript runs the miner directly in the user's browser in the background. The user's computer processor will be used for mining.

This tool was developed as an alternative method for website administrators to generate income. His main idea was to get rid of ugly advertising banners that take up space on the site, the display of which users still block using various ad blockers (adblock). Instead of Bitcoin (BTC) or other popular cryptocurrencies, Coinhive mines Monero (XMR), which at the time of this writing is worth about 35 times less than Bitcoin, but is still in the top ten most expensive cryptocurrencies (by price per coin).

Coinhive itself is a fairly legitimate company, but recent events have shown how easily their JavaScript mining technology can be exploited by hackers looking to make a few crypto bucks quickly.

The BlackBerry case is actually just one of many cases where hackers or ISPs have used Coinhive technology for their own selfish and harmful purposes. In October, TrendMicro discovered several applications in the Google Play Store that used Coinhive mining technology to mine cryptocurrency without the user's knowledge. There have also been reports of Coinhive miners built into the Starbuck website, hosted there by the ISP itself.

Monero continues to resist ASIC mining

In response to the growing threat of ASICs centralizing its mining, the Monero network. plans to implement a hard fork on block 1788000.

At current speeds, an ASIC-resistant fork could go down on or around March 9, followed by another hard fork at block height 1788720 on March 10. The code updates are the latest from the Monero developers, who have been working on ASIC mining for a long time. ineffective on their network. The privacy-focused project is among a number of businesses that believe that mining and its benefits should be made available to individuals using only GPU or CPU-based miners.

In the past, much of the cryptocurrency community has felt the influence of ASIC miners developed by mining giants. This is especially noticeable on the Bitcoin network. However, at the beginning of 2020, a number of mining companies announced the release of ASICs designed specifically for Monero mining.

Read also: Mining Monero

In an attempt to mitigate the threat, the Monero core team moved to implement an emergency hard fork. Developers at Monero believe that since ASICs are typically manufactured by multiple companies, they represent a single point of failure, which is a case that most cryptocurrency projects try to avoid.

On April 6, 2020, Monero hard forked and was able to prevent ASIC for a while as hashrate dropped by more than half and it was rationalized that ASIC mining under these conditions would neither be profitable nor many of the ASIC miners in circulation would be able to update their software enough quickly to function effectively.

However, a recently published research report has revived the conversation about specialized miners and the threat they could pose to the Monero community. An anonymous analyst under the name MoneroCrusher was able to determine that the majority of the hashrate on the network was generated by ASICs.

In this report, the analyst was able to determine that over 85% of Monero's current hashrate comes from ASICs and that each machine runs at 128 kHz/s. The analyst came to these conclusions by analyzing nonces on the network. Noces are random numbers generated as a by-product of the mining process.

Read also: BTCC will close its mining pool due to “Business Adjustments”

The report prompted a response from the core team, who then published details of the software update after what they described as a conversation both within the team and with the wider community.

The March 9 update won't introduce many new features to the core software that powers the privacy-focused digital asset. The main goal is to implement “a third PoW setting (CryptoNight-R) to curb the ASICs currently present on the network and further maintain ASIC resistance. As a result, miners will also have to update their miners (i.e. mining software). "

Another minor change planned to be included in the update is the addition of a new payment notification system. The second update, tentatively scheduled for March 10, should consolidate the changes made in the previous fork.

While much of the Monero community has praised the relatively quick response from the core development team following the MoneroCrusher report, some sections of the community are unhappy with the way the update was discussed and decided upon, as well as the way the disclosure was made.

Read also: Russian startup turns aluminum smelter into Bitcoin mining

Monero web miner 'CoinHive' is shutting down

Initially, Monero's web miner, CoinHive, announced that it would stop mining. In a blog post, CoinHive explained that this operation was no longer cost-effective after a number of changes in market conditions. The company explained: “The drop in hash rate (over 50%) since the last Monero hard fork has hit us hard. So did the “crash” of the cryptocurrency market, with the value of XMR declining by over 85% over the course of a year. This and the Monero network's announced hard fork and algorithm update on March 9 led us to the conclusion that we need to stop Coinhive."

CoinHive came into the spotlight when it was announced that a significant number of websites were adding software provided by the company to develop Monero without the knowledge of their users. CoinHive promoted the software as a way for website owners to make money without placing ads on their pages.

However, since the mining occurred without the knowledge of their users and also significantly slowed down the affected computers, the move caused significant public outcry, leading many security companies to create ways to stop the malware.

Read also: Russian mega-factory will turn into a huge Bitcoin mining farm: details

While CoinHive may be closing its doors, the Monero malware mining boom that was sparked by CoinHive in late 2020 has seen the "cryptocurrency" become one of the top threats to internet users, and there appears to be an end to that can not see.

New Monero malware hits Windows OS

Security and intelligence company Trend Micro has announced the emergence of new Monero malware targeting Windows users. Attackers are reportedly focusing their efforts on Asian countries, with the majority of viruses originating in China, Taiwan and Hong Kong. Several users in Italy were also affected.

The malware enters devices through infected websites or other malicious programs. Once logged in, it connects to the network and downloads the newest version. He then downloads encrypted miner software and begins mining Monero. In addition, it connects to multiple IP addresses to transmit information about the host device.

The malware moves laterally across the network, similar to the Petya malware that was distributed in 2018. To further evade detection, the attackers ensured that operations began on days that coincided with weekends in the affected countries. To protect their devices, users are advised to always stay up to date with all software updates provided by Windows.

The price of Monero XMR has increased by approximately 12% over the past month. It remains to be seen how the upcoming changes will impact the price of the leading privacy-focused cryptocurrency and how effective the planned forks will be in the battle against ASICs.

How the vulnerability in Coinhive can be exploited

There are several projects on GitHub, such as CoffeeMiner, designed to perform man-in-the-middle (MitM) attacks to inject Coinhive miners into web browsers connected to public Wi-Fi hotspots. However, based on our experience with MitM attacks, we think it would be much easier to use a tool like Man-in-the-Middle Framework (MITMf) to achieve the same results with just one command. MITMf is a great tool designed to make MitM attacks as easy as possible.

In our article, we will use MITMf to inject the Coinhive miner's JavaScript code into other browsers that are on the same Wi-Fi network. This will allow us to insert JavaScript miners into the web pages that unsuspecting cafe patrons find themselves on as they surf the Internet.

Before we begin, it's worth noting that Coinhive will ban any account if the owner of that account is found to be using a JavaScript miner in any unauthorized way, such as hacking. Therefore, we recommend that you use this article for educational purposes only.

How to protect yourself from JavaScript miners

It has become clear that ad blockers are not the most effective method of combating JavaScript miners. Using some very common methods, cryptocurrency miners can still get into your web browser.

The best way to avoid malicious JavaScript code running in your browser is to disable JavaScript completely. Enable and use JavaScript only when absolutely necessary. NoScript is often recommended by security experts and is currently the most convenient way to quickly enable JavaScript as needed. The Opera browser also has a NoCoin feature that blocks cryptocurrency mining scripts on web pages. So this is a very interesting browser option if you don't like Chrome, Safari, Edge, etc. However, there are some browser extensions that do something similar. If you don't want to block JavaScript, you can check your CPU usage more frequently to see if there are any suspicious CPU usage spikes that could indicate mining going on in the background. On a Windows computer, you can use "Task Manager", and on Mac computers it will be "Activity Monitor". You can also simply check your browser's address bar. If you are on a site that has an HTTPS padlock in the top left corner, then you are most likely not subject to a MitM attack. Many websites are added to browsers' HSTS prefetch lists, which means that even if a MitM attack tries to intercept HSTS headers and redirect the request to HTTP instead of HTTPS, the browser will not do this because it knows that it should only communicate for domains using HTTPS. Thus, the Coinhive miner hacks described above will no longer work on such sites. You can check if a site is on your browser's HSTS preload list by entering the root domain name into an online tool. Another measure you can take to protect yourself from MitM attacks when using public networks is to use a virtual private network (VPN). When using a VPN, it will not block the miner script running on the server; it will bypass the MitM attack on a specific access point. If you use an ad blocker, be sure to use one that works at the DNS level, and not just at the HTML tag level. While this won't necessarily stop your computer from becoming a miner, it will at least prevent hackers from getting any rewards out of it.

Windows 10

Click on the search button

In the input field, type Control Panel .

Press Enter.

The Control Panel will open, in it select Uninstall a program .

You will be shown a list of all programs installed on your computer. Review it carefully and remove any that seem suspicious to you or that you are sure you did not install yourself. To remove, select a program from the list and click the Remove/Change .

Next, follow the Windows instructions.

Remove Coinhive virus from Chrome, Firefox and Internet Explorer using AdwCleaner

AdwCleaner is a small program that does not require installation on your computer and is designed specifically to find and remove adware and potentially unnecessary programs. This utility does not conflict with the antivirus, so you can safely use it. There is no need to uninstall your antivirus program.

Download the AdwCleaner program by clicking on the following link.

Downloaded 1013211 times Version: 8.0.7 Author: Malwarebytes, Xplode Category: Security Update date: July 23, 2020

After the program has finished downloading, run it. The main AdwCleaner window will open.

Click on the Scan . The program will begin checking your computer. When the scan is completed, you will see a list of found components of the Coinhive virus and other parasites found.

Click the Cleanup . AdwCleaner will begin cleaning your computer and will remove all malware components found. At the end of treatment, restart your computer.

Remove Coinhive virus using Zemana Anti-malware

Zemana Anti-malware is a utility that allows you to quickly scan your computer, find and remove a variety of malicious programs that display ads and change the settings of installed web browsers. In addition to the classic method of finding malware, Zemana Anti-malware can use cloud technologies, which often allows you to find malware that other antivirus programs cannot detect.

Download Zemana AntiMalware using the link below. Save the program to your Desktop.

Downloaded 69010 times Author: Zemana Ltd Category: Security Date updated: July 16, 2019

When the download is complete, run the file you downloaded. The Installation Wizard window will open in front of you, as shown in the example below.

Follow the instructions that appear on the screen. You don't have to change anything in the settings. When the installation of Zemana Anti-Malware is completed, open the main program window.

Click on the “Check” button to start the process of searching for the Coinhive virus. The scanning process is quite fast, but may take longer if there are a large number of files on your computer or if the system is slow.

When the scan is completed, you will see a list of malware components found. Here, simply click the “Next” button to remove the detected malware and move it to quarantine.

Remove Coinhive virus using Malwarebytes

Malwarebytes is a well-known program designed to combat a variety of adware and malware. It does not conflict with the antivirus, so you can safely use it. There is no need to uninstall your antivirus program.

Download Malwarebytes Anti-malware using the following link.

Downloaded 382927 times Version: 4.1 Author: Malwarebytes Category: Security Update Date: April 15, 2020

When the program downloads, run it. The Program Installation Wizard window will open in front of you. Follow his instructions.

When the installation is complete, you will see the main program window.

The program update procedure will start automatically. When it is completed, click on the “Run scan” button. Malwarebytes Anti-malware will begin scanning your computer.

When the scan of your computer is complete, Malwarebytes Anti-malware will show you a list of malware and adware parts found.

To continue treatment and removal of malware, you just need to click the “Quarantine selected objects” button. This will start the removal procedure for Coinhive virus and other malware.

Remove Coinhive virus in Chrome by resetting browser settings

Like some other browsers, Google Chrome has one very important and convenient feature - reset all settings to their original values ​​and thus get rid of the Coinhive virus. At the same time, all saved passwords, bookmarks and other personal data will not be affected.

To reset the settings, launch the browser and click on the button in the form of three horizontal stripes (). This will open the browser's main menu. Here click on Settings.

Google Chrome will open a page for you that allows you to change its basic settings. Scroll down and click on the “Show advanced settings” link. On this page, previously hidden additional settings will open. Scroll down the page until you see the Reset Settings button. You need to click on it. The browser will open a small dialog box asking you to confirm your actions.

Click on the “Reset” button. The browser will start the cleaning process and when it is completed, Chrome settings will be reset to their original settings. This will help you disable malicious extensions and thus remove Coinhive virus.

Remove Coinhive virus in Firefox by resetting browser settings

Resetting Firefox settings will remove malicious extensions and restore browser settings to default values. At the same time, your personal data, such as bookmarks and passwords, will be saved.

Open the main menu of Chrome by clicking on the button in the form of three horizontal stripes (). In the menu that appears, click on the question mark icon (). This will bring up the Help menu as shown in the image below.

Here you need to find the Troubleshooting Information item. Click on it. In the page that opens, in the Set up Firefox section, click the Clean Firefox button. The program will ask you to confirm your actions.

Click the Clean Firefox button. As a result of these actions, the browser settings will be reset to their original settings. This will remove the Coinhive virus.

Remove Coinhive virus in Internet Explorer by resetting your browser settings

Resetting Internet Explorer and Edge settings will remove malicious extensions and restore browser settings to default values.

Open the main browser by clicking on the button in the form of a gear (). In the menu that appears, select Internet Options.

Here, open the Advanced tab, and in it click the Reset button. The Reset Internet Explorer settings window opens. Check the box next to Delete personal settings, and then click the Reset button.

When the factory reset process is complete, click Close. For the changes to take effect, you need to restart your computer. This way you can get rid of the Coinhive virus.

Block Coinhive, loading dangerous and fraudulent sites

To increase the protection of your computer, in addition to anti-virus and anti-spyware programs, you need to use an application that blocks access to a variety of dangerous and misleading websites. In addition, such an application can block the display of intrusive advertising, which will also lead to faster loading of websites and a reduction in web traffic consumption.

Download the AdGuard program using the following link.

Downloaded 188784 times Author: © Adguard Category: Security Update date: July 17, 2018

After the download is complete, run the downloaded file. The Program Installation Wizard window will open in front of you.

Click on the I accept the terms and conditions button and follow the instructions of the program. Once the installation is complete, you will see a window as shown in the image below.

You can click Skip to close the installer and use the default settings, or the Get Started button to familiarize yourself with AdGuard's features and make changes to the default settings.

In most cases, the standard settings are sufficient and there is no need to change anything. Every time you start your computer, AdGuard will start automatically and block pop-up ads, Coinhive, and other malicious or misleading web pages. To get acquainted with all the features of the program or to change its settings, you just need to double-click on the AdGuard icon, which is located on your desktop.

Check the task scheduler

To completely clean your computer, you also need to check the Task Scheduler Library and delete all tasks that were created by malicious programs, since they may be the reason for the Coinhive virus to automatically launch when you turn on the computer or at regular intervals.

Press Windows and R (Russian K) on your keyboard at the same time. A small window will open with the title Run. In the input line, enter “taskschd.msc” (without quotes) and press Enter. The Task Scheduler window will open. On the left side, select “Task Scheduler Library”, as shown in the following example.

In the middle part you will see a list of installed tasks. Select the first task, and in its properties, which will open just below, select the Actions tab. Go through each task one by one, paying attention to what it runs on your computer. If you find something suspicious, check it through our website or in a search engine by the name of the file being launched. If the file is a component of a virus or malware, then this task can also be safely deleted.

Having decided on the task that you want to delete, right-click on it and select Delete. Perform this step several times if you find several jobs that were created by malware. An example of deleting a task created by an adware virus is shown in the figure below.

After deleting all tasks, close the Task Scheduler window.

By following these instructions, your computer should be completely cured of the Coinhive virus. Unfortunately, the authors of malicious applications constantly update them, making it difficult to treat your computer. Therefore, if these instructions did not help you, then you have become infected with a new version of the Coinhive virus, and then the best option is to contact our forum.

In order to avoid infecting your computer in the future, please follow three small tips

  • When installing new programs on your computer, always read the rules for their use, as well as all the messages that the program will show you. Try not to install with default settings!
  • Keep anti-virus and anti-spyware programs updated to the latest versions. Please also note that you have Windows automatic updates enabled and all available updates are already installed. If you are not sure, then you need to visit the Windows Update website, where they will tell you how and what needs to be updated in Windows.
  • If you use Java, Adobe Acrobat Reader, Adobe Flash Player, be sure to update them on time.

How profitable is JavaScript mining?

Readers wondering how profitable Coinhive mining is can check out this article by Maxence Cornet on Medium. Maxence tried to use Coinhive on his website several times with the goal of replacing traditional banner ads with Coinhive's JavaScript miner. He says that with 1000 website visits per day:

"I made 0.00947 XMR in 60 hours, a whopping $0.89, that's $0.36 per day"

Not the most impressive results, but without a doubt, mining cryptocurrencies with Coinhive has become very popular among hackers because it is very easy to use. This may not be very beneficial when used on small sites, but imagine a Coinhive miner running on every Facebook or Google page. But this can happen.

If you have any questions or doubts, feel free to leave your comments.
Disclaimer: This article is written for educational purposes only. The author or publisher did not publish this article for malicious purposes. If readers would like to use the information for personal gain, the author and publisher are not responsible for any harm or damage caused.

We recommend reading:

Xakep #255. Attacks on Windows

  • Contents of the issue
  • Subscription to "Hacker"

One of the most unpleasant types of hidden mining is browser mining, when the devices of ordinary website visitors are used to mine cryptocurrency (of course, without the knowledge of the users themselves). At the beginning of last week, users began to complain en masse on social networks that when visiting YouTube, anti-virus programs were triggered, reporting a hidden Coinhive miner on the site.

Hey @avast_antivirus seems that you are blocking crypto miners (#coinhive) in @YouTube #ads Thank you

Rating
( 2 ratings, average 4 out of 5 )
Did you like the article? Share with friends:
For any suggestions regarding the site: [email protected]
Для любых предложений по сайту: [email protected]