AppCheck: Detect Rogue JavaScript Crypto-Miners

Browser based Crypto-Mining malware has made a dramatic resurgence in 2018 hitting the headlines on several occasions over the past month. Most recently, two major campaigns affecting thousands were reported by The Register with those affected ranging from YouTube to the UK’s Information Commissioner’s Office (Ref 1 Ref 2).

Trend Micro reports an increase as high as 285% in the number of CoinHive miners observed during January (Ref 3 )

In brief, JavaScript Crypto-Miners such as CoinHive are designed to use the processing power of visiting web browsers to perform Crypto Currency mining as a method of monetising website traffic. The malware* is deployed via a JavaScript embedded within your web site that is automatically executed by each visiting user.

Whilst Crypto Mining software is presented as a legitimate enterprise, it’s also a common technique used by Cyber Criminals and other malicious third parties to profit from their attacks. In short, if Crypto Mining software is served up by your site, it is likely the result of a malicious compromise, either directly or against one of your trusted partners.

Detecting Crypto-Miners with AppCheck

To help detect JavaScript Crypto Miners, AppCheck has released a detection module available to all customers. To enable it, select Plugins->Malware Scanning and enable “JavaScript Crypto Miner detection”.

The module detects Crypto Miners using two methods. Firstly, each page encountered during a scan is loaded into a browser engine and network connectivity is monitored. If the page attempts to connect to a Crypto Mining service, the page is flagged. Our second method inspects JavaScript objects loaded into each page for known Crypto Mining functions, this approach helps identify obfuscated payloads and payloads that selectively execute.