Complex Made Simple

Your computer may be cryptojacked, and mined for cryptos! Here’s what to look for

Thank your for mining for us: How your computer is a goldmine for hackers

Cryptojacking surged in the last quarter of 2017, with its growth in popularity coinciding with a surge in the value of cryptocurrencies The problems arise when people aren’t aware their computers are being used to mine cryptocurrency The effects of cryptomining could include device slowdown, overheating batteries, increased energy consumption, and even devices becoming unusable

Article based and excerpted from Symantec reports

One of the biggest cyber security trends of 2018 is cryptojacking, where cyber criminals surreptitiously run coinminers on victims’ devices without their knowledge and use their Central Processing Unit (CPU) power to mine cryptocurrencies.

This has been such a big trend this year that Symantec has published a research paper on this topic,  featuring insights and analysis about this cyber security threat.

Cryptojacking surged in the last quarter of 2017, with its growth in popularity coinciding with a surge in the value of cryptocurrencies, including Monero, which is what is mainly mined by CPU miners.

Cryptojacking in the cloud could also cause additional costs for businesses that are billed based on CPU usage.

What is cryptojacking?

Computer programs called coinminers are used to mine cryptocurrencies. Cryptocurrencies are digital currencies created using computer programs and computing power. Bitcoin is the best-known cryptocurrency, but it cannot be mined using personal computers—it requires specialist equipment to mine.

The cryptocurrency we primarily see mined on personal computers is Monero.

-File-based coin mining involves downloading and running an executable file on your computer.

-Browser-based coin mining takes place inside a web browser and is implemented using scripting languages.

Read more: Grand theft Crypto: perpetrators of biggest token theft at Coincheck exchange revealed

Coin mining is not illegal, and many people choose to run files or scripts on their computers to carry out coin mining to make money themselves. Some websites may also use coin mining as an alternative to advertising to generate revenue, which is fine provided customers are told that their CPU power will be used to mine cryptocurrency while they are visiting that website.

The problems arise when people aren’t aware their computers are being used to mine cryptocurrency, or if cyber criminals surreptitiously install coinminers on victims’ computers or Internet of Things (IoT) devices without their knowledge—this is cryptojacking.

Symantec found two Chrome extensions that secretly mine for Monero.

On May 8, we discovered two extensions for Google’s Chrome web browser that secretly perform coin mining after they are installed. Both extensions were found on the official Google Chrome Web Store.

One of the extensions, called 2048, is a version of a popular math-based strategy game. The extension was published in August 2017 and has over 2,100 users, which suggests the publisher has made some profit using the CPU cycles of those users to mine for cryptocurrency.

Figure 1. Strategy game 2048 secretly mines for cryptocurrency

Strategy game 2048 secretly mines for cryptocurrency

Figure 2. The 2048 extension has over 2,100 users

The 2048 extension has over 2,100 users

The other extension, Mp3 Songs Download, claims to be an MP3 downloader but just redirects the user to an MP3 download website when they click on the extension button. The MP3 download website secretly launches a coin-mining script in the background. The Mp3 Songs Download extension was published in June 2017 and has around 4,000 users.

Figure 3. The Mp3 Songs Download Chrome extension has almost 4,000 users

The Mp3 Songs Download Chrome extension has almost 4,000 users

Coin-mining script: 2048

The source code for the 2048 extension contains a hardcoded domain that is triggered when Chrome is launched.

Coin-mining script: Mp3 Songs Download

The extension Mp3 Songs Download doesn’t start its coin-mining script until the user clicks on the extension button and is redirected to a website.  

This website looks just like a normal MP3 download site and actually functions as one. However, it also loads coin-mining JavaScript (VEZ4.js) secretly, which can be seen in the website’s source code. From the source code we can also see the hardcoded wallet key and throttling ratio, which is set at 0, meaning 100 percent of the user’s CPU cycles can be used for mining.

Figure 9. Website looks and functions like a normal MP3 download site

Website looks and functions like a normal MP3 download site

Impact on users

The coin mining will persist for as long as the browser (with the 2048 extension installed) or website (in the case of the Mp3 Songs Download extension) remains open. The effects of this activity could include device slowdown, overheating batteries, increased energy consumption, and even devices becoming unusable.

Figure 11. CPU usage spikes due to Mp3 Songs Download extension

CPU usage spikes due to Mp3 Songs Download extension

Furthermore, the malicious activity of these extensions is made harder to detect by the fact that they function as described. For example, the game 2048 is playable just like any 2048 game and the MP3 website contains downloadable MP3 files. This means that many users will not be suspicious and may not realize their computing power is being hijacked to make money for the developers behind these extensions.

We notified Google about these coin-mining extensions and they have now been removed from the Google Chrome Web Store.

Protection

Symantec and Norton products detect the extensions as the following:

Miner.Jswebcoin

Mitigation

-Install a suitable security app, such as Norton or Symantec Endpoint Protection, to protect your device and data.

-Pay close attention to CPU and memory usage on your computer or device. Abnormally high usage could be an indication of coin-mining.

-Check the app developer’s name, which can be found on the app’s store page. Do an internet search for the developer as there may be users who have had experience of their apps—good or bad.

-Check the app reviews. While fake reviews are common, they’re often short and generic. There may also be legitimate reviews from users who have figured out that the app isn’t what it appears to be.