Back to
124 posts

New Frontiers In Cryptojacking

Tejas Girme & Rishikesh Bhide of Qualys Malware Research Labs present “New Frontiers in Cryptojacking” at the 21st Anti-Virus Asia Researchers International Conference (AVAR) 2018 in Goa, India.

Cryptojacking attacks are evolving over time to better evade detection by both end users and protection technologies. It’s therefore important for security teams to understand how these attacks work so they can best protect their system resources. In a recent talk at AVAR 2018, Qualys Malware Research Labs presented an analysis of several evasion techniques used by attackers to deliver the Cryptojacking code to web browser and how existing protection technologies stack up against them.

About Cryptojacking

Cryptojacking attacks leverage the victim system’s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker’s wallet.

Early Cryptojacking Attacks

CoinHive was the first browser-based CryptoMining service provider. They made it possible to enable browser-based mining on a website by embedding just a few lines of code. Adversaries seized this opportunity and Cryptojacking attacks became prevalent.

Figure 1: JavaScript code that initiates Cryptojacking inside a website.


The attacker compromised the vulnerable websites to embed the Cryptojacking code inside the webpage (see Figure 1). This code fetches and instantiates the JavaScript-based mining component from CoinHive server and starts browser-based CryptoMining inside the visitor’s browser. Mining for cryptocurrencies is a resource-intensive process that can consume more than 70% of the CPU power, thus degrading system performance.

A simple protection against these attacks by blacklisting domains which are hosting CryptoMining scripts. This was achieved with ease by blocking access to such domains through IPS.

Use of Proxy

In order to evade domain-based detection, attackers then adapted approaches like proxies and URL randomization to bypass firewall rules. Attackers also leveraged legitimate content delivery services like Github & Pastebin to host coin-mining scripts.

Figure 2 displays a code snippet from an actual attack, where the proxy domain acts as a gateway for delivering the mining payload.

Figure 2: Website loads script hosted on a proxy server.

As a large number of proxy domains is created every day, it became impossible to keep on updating Firewall/IPS rules. This problem was addressed by web browser extensions to protect against Cryptojacking attacks. Some of the early extensions were ‘No Coin’ & ‘MinerBlock’. These extensions relied mainly on crowd-sourced blacklists comprising domains & urls hosting CryptoMining scripts (e.g. ‘nocoin-list’).

Use of Proxy and Obfuscation Methods

Anti-Virus (AV) scan engines quickly caught up and added script and object-based detections, which are effective in detecting mining scripts hosted behind the proxy. To overcome this hurdle, attackers started obfuscating JavaScript code using open-source obfuscators like These tools could make complex obfuscations where even object names and values were disguised. This helped attackers hide their mining code from AV signature-based detections. Obfuscation was used at different stages of Cryptojacking attacks to make them even more difficult to detect.

Figure 3 below shows an example of how obfuscated miner code was hosted behind the proxy server.

Figure 3: Website loads obfuscated script hosted behind the proxy server.

Attackers often utilize the full power of the CPU to maximize revenue generated from mining activity. This allowed AV engines to make use of behavior-based signatures to identify mining activity by monitoring CPU usage pattern of every browser instance. AV can terminate a browser instance which is performing CryptoMining.

Combination of Proxy, Obfuscations and Throttling

To remain completely stealthy from both users & detection technologies, the attack techniques also evolved. Instead of utilizing 100% CPU each time, they started to randomize CPU consumption in the range of 40-80% to ensure there is no visible performance impact for the user. This approach reduced the revenue generated per user to some extent, but it allowed them to run campaigns for a longer duration without getting detected.

Figure 4 highlights the configurations used to control the amount of CPU consumption while mining. Throttle 0.2 means it will consume 80% of CPU resources for mining activity.

Figure 4: Cryptojacking code makes use of a throttling parameter.

For more details and examples of attacks using these techniques, please see our previous blog post, Tale of a Friendly CryptoMiner.

Stay Protected Using Qualys BrowserCheck CoinBlocker

Based on our research, Qualys Malware Research Labs developed a free Chrome Web browser extension Qualys BrowserCheck CoinBlocker.

Along with blacklisting & whitelisting of domains, it supports advanced JavaScript scanning to identify & block malicious JavaScript functions. The extension has the ability to detect obfuscated JavaScript components hosted behind proxies.

As new attacks emerge, our R&D team analyzes them and devises new detection techniques that are then incorporated into the new update of the extension. We ensure that our users are always protected against these new attacks.

QSC18 Takeaway: Complex Environments Demand Visibility and Real-Time Security

If there were two important takeaways from this year’s Qualys Security Conference year they would be how today’s complex hybrid environments are demanding security teams find ways to increase visibility into the state of their security posture and be able to quickly mitigate new risks as they arise.

With their respective keynotes, both CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar showed just how sophisticated today’s environments have become. Today, all but the most straightforward environments consist of multiple cloud services, virtualized workloads, and traditional on-premises systems; and hundreds of application containers, microservices, and serverless functions.

Continue reading …

QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches

Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable organizations to liberate data from their applications, improve integration, and standardize how claims and information is governed.

However, what about the associated API security risks? That’s the subject Gartner analyst Mark O’Neill tackled in his presentation, API Security: Enabling Innovation Without Enabling Attacks and Data Breaches at Qualys Security Conference 2018. O’Neill sees API vulnerabilities as a serious enterprise risk in the years ahead. In fact, by 2020, he predicts API abuses will be the most frequent attack vector that results in data breaches for enterprise web applications. “We see more and more APIs as a threat vector,” O’Neill said.

Attackers go after APIs, O’Neill said, because they’re a direct way to valuable data and enterprise resources. In addition to stealing data, APIs are also susceptible to other forms of attack, such a denial-of-service attacks, O’Neill said.

So what can organizations do to better secure their APIs and the resources and information they expose?

Continue reading …

QSC18: The Need for Security Visibility in the Age of Digital Transformation

Enterprises are moving full steam ahead when it comes to their digital transformation efforts. They’ve aggressively adopted cloud infrastructure and other cloud services, IoT, application containers, serverless functionality, and other technologies that are helping their organization to drive forward.

Those organizations that are way down the road in their digital transformation efforts say that they’ve witnessed improved business decision-making – both when it comes to making better decisions and when it comes to making those decisions more rapidly. They also say that they’ve improved their customer relationships by delivering an improved customer digital experience.

So it’s time to celebrate and declare digital victory, right?

Hold off before we book the band and order the champagne for the big party. In fact, those who want to move forward securely and confidently in their risk and regulatory compliance postures have some challenges ahead.

Continue reading …

Welcome to Qualys Security Conference 2018

The rise of cloud computing coupled with DevOps is forcing enterprises to rewrite their cybersecurity playbook, and part of that book will be written this week at Qualys Security Conference 2018 in Las Vegas.

Today, the dual cloud and DevOps mega-trends are helping companies to digitally transform how they build, deploy, and manage all aspects of their business. They’re delivering software and digital services more rapidly, able to respond with more agility to changing business and technological demands through the effective use of automation, machine learning, IoT, and the continuous delivery of new software services and features. This all comes at a price, however.

Continue reading …

PCI & QID 38598 “Deprecated Public Key Length”

PCI DSS v3.2 logoQID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score.

Under PCI DSS merchants and financial institutions are required to protect their clients’ sensitive data with strong cryptography. Strong cryptography is defined in the Glossary of Terms, Abbreviations and Acronyms for PCI DSS as cryptography based on industry-tested and accepted algorithms.

NIST Special Publication 800-131A announced that RSA public keys shorter than 2048 bits are disallowed, so QID 38598 detected in ASV scans will result a PCI failure. ASV scan customers will need to obtain a 2048-bit or larger public key length certificate from their Certificate Authority.

Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776

A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.

Update August 24, 2018: A dashboard for this vulnerability is now available to download.

Continue reading …

Qualys BrowserCheck CoinBlocker Protects Users From Active Cryptojacking Campaigns

Qualys Malware Research Labs recently released the Qualys BrowserCheck CoinBlocker Chrome Extension. We have seen enthusiastic adoption from users across the globe in the first week since its release, which has given us enough telemetry data to indicate success in protecting users from popular cryptojacking attacks. This blog post details these detection statistics and analyzes a few interesting cryptojacking campaigns uncovered by Qualys BrowserCheck CoinBlocker.

About Qualys BrowserCheck CoinBlocker

Qualys BrowserCheck CoinBlocker protects users from browser-based coin-mining attacks. Along with blacklisting & whitelisting of domains, it also supports advanced JavaScript scanning to identify & block malicious JavaScript functions. The extension can also identify & block malicious coin-mining advertisements loaded inside iframes by third-party ads.

Download Qualys BrowserCheck CoinBlocker for free!

Qualys BrowserCheck CoinBlocker Detection Statistics

The world heat map below shows the geographical distribution of mining threats as a percentage of detections blocked by Qualys BrowserCheck CoinBlocker. The Top 5 countries where mining threats are detected and blocked are Bulgaria (33%) topped the list followed by India (18%), the United States (16%), Argentina (10%) and Thailand (9%).

Continue reading …

Staying Safe in the Era of Browser-based Cryptocurrency Mining

Qualys Malware Research Labs is announcing the release of Qualys BrowserCheck CoinBlocker Chrome extension to detect and block browser-based cryptocurrency mining, aka cryptojacking.


Cryptojacking attacks leverage the victim system’s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker’s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanent damage to the system.

Continue reading …

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”

PCI DSS v3.2 logoQID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.

Continue reading …