Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Malware Goes Currency Mining with Your CPU

If you find your CPU spiking while browsing some website, it may be you’ve just loaned your computer resources to a virtual currency mining operation. The Pirate Bay website was caught having deployed such a “miner” on its site in mid-September, which borrows its visitor’s CPU and/or graphics card resources — without informing the user.

The Coinhive Miner deployed by The Pirate Bay is a JavaScript library for mining cryptocurrency that is being offered to websites as an alternative revenue stream.

Cryptocurrency image

Malware Authors Move in on Mining

With the rising popularity of cryptocurrencies, it stands to reason that malware authors will be shifting their attention to this new-found way of mining — a theory which became confirmed fact two weeks ago with the news that was found to be embedded with the same Coinhive script, but (it would appear) without Showtime’s consent.

Unfortunately, cyber criminals have started abusing this tool by embedding the JavaScript code into browser extensions or programs, thus using the processing power of the infected PC’s for mining digital currency without permission.

Cyren Lab Finds Many Examples

Investigating further, we encountered several websites last week that were injected with a script code to redirect and download a program which uses the Coinhive script.

Here is a list of some of the sites found by Cyren researchers with injected codes:

  • www.altenpflegeschule-manoah[.]de/
  • macelleriarosticceriatamborrino[.]it
  • www.valoanaustin[.]com
  • headabovethecloud[.]us
  • getrich.webstilus[.]

How It Works

The injected codes, as shown in the image below, redirect the user to two sites:

  • hxxp://recaptcha-in[.]pw
  • hxxp://google-statik[.]pw/mainer/myscr109881.js

Cryptocurrency mining image 1

Figure 1: Injected code which redirects users

The iFrame injected code, which redirects to recaptcha-in[.]pw, starts a miner script.

Cryptocurrency figure 2

Figure 2: Captured from recaptcha-in[.]pw

The 2nd injected script code will execute the script myscr109881.js from google-statik[.]pw.

Cryptocurrency figure 3

Figure 3: Decrypted code of myscr109881.js

Cyren detects the relevant malicious code as JS/Coinminer.A, JS/Redir.ZS and JS/Kryptik.E!Eldorado.

Filenames which are Indicators of compromise include:

  • myscr109881.js
  • myscr532494.js

For a primer on the current state of malware, read Cyren’s free special threat report on malware.

Want to learn more about cloud-based email & web security? Contact us here!

You might also like

What is Microsoft Office 365 Advanced Threat Protection?

Office 365 Advanced Threat Protection (also known as ATP and Defender) can provide your organization with advanced security features - keeping you protected from cybersecurity threats. With today's cybersecurity landscape, where new threats appear daily, if not...

The Hidden Costs of Phishing & BEC

By Max Avory A couple of months ago we sat down with Damian Stalls, vCIO director at Fluid Networks to discuss how they dramatically reduced the time their security analysts spent managing the problem of phishing, BEC, and user education. Here were some of the...