How to find cryptojacking malware

Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about.

The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites. I previously offered a comparison of their dataset versus other providers in my discussion of Coinhive malware specifically.

In this post, I detail how to find websites containing Coinhive, Crypto-Loot, CoinImp, and deepMiner in PublicWWW.

Let’s jump in and see how many sites with cryptojacking malware we can find!

Coinhive

Before we review some of the knock-offs, let’s look at the most synonymous name with cryptojacking, Coinhive. Finding this malware is relatively easy and various queries can be used to locate it. The original Coinhive JavaScript library used in cryptojacking is “coinhive.min.js” and we can start by simply searching for that. It’s important to search for the entire name in quotes to ensure an exact match is returned by PublicWWW.

PublicWWW search for "coinhive.min.js"

Using this query, we find 34,474 sites. While this may seem like an astounding number,  it’s only a modest increase since I wrote about the 30,000 sites found back in November 2017.

While this list of sites is great for an overview of sites with Coinhive malware, we can dig even deeper into PublicWWW’s dataset to extract the Coinhive site key used on each site. This can be done using regex to extract the site key as a snippet: “coinhive.min.js” snipexp:|CoinHive.Anonymous\(‘?(\w{32})’|i

PublicWWW search for "coinhive.min.js" snipexp:|CoinHive.Anonymous\('?(\w{32})'|i

Once the Coinhive site key is extracted, we can export the results and correlate which sites are part of a cryptojacking campaign. This correlation of a small number of Coinhive site keys to hundreds and even thousands of websites was documented in my previous post.

Recently I found a large cryptojacking campaign targeting 5,451 WordPress sites. In each case, the JavaScript containing Coinhive was hidden via obfuscation.

Example site found in WordPress cryptojacking campaign
The obfuscated JavaScript code is illegible and must be deobfuscated first to be human-readable.

While PublicWWW can’t search within the deobfuscated JavaScript itself, we can find a way to work around it.

PublicWWW search for sites found in large WordPress cryptojacking campaign.

To search for the affected sites, the following query, graciously crafted for me by VriesHd,  was used:

“[\”(k” “\\x43\\x72\\x79\\x70\\x74\\x6f\\x6e\\x69\\x67\\x68\\x74\\x57\\x41\\x53\\x4d\\x57\\x72\\x61\\x70\\x70\\x65\\x72” snipexp:|(var _0x[0-z]{4}=)|

This query searches for the JavaScript function name used for the obfuscated code and then regex to extract a snippet of that name. This is useful to correlate the function name, such as “var _0xb70e” to the Coinhive site key used. Six unique keys were found to be used in this cryptojacking campaign:

Coinhive site key (function name)
DhGEVUgOoquJP68XByYLFs0nRVV4gq4J (0xb70e)
bbgnHTSmMLKUMaQzNa3Yfoul34A3cACd (0xbcba,0xe2f6)
hg9mNsA2DPkqe1F9yCUyWXggnDyrPqVW (0x1b00)
T6Oy0x11TMdeZRjy684Xow4GNBpb07SK (0xf80b)
OQoqVYH65ER2Eg2xcmoVtv4qrcHP2Z7G (0xe4d0,0xb765,0xcc28)
VW8fWIsg9hjn47qBdmb0jImf7pDHmU28 (0x8f35)

In some cases the same Coinhive site key was associated to multiple functions, shown above.

Crypto-Loot

Crypto-Loot has steadily remained as one the most popular alternatives to Coinhive since its inception. Similar to Coinhive, Crypto-Loot doesn’t require any user interaction and can run steathlity in the background.

This is a prominent feature on Crypto-Loot’s marketing page, in addition to DDoS protection which is provided by Cloudflare.

Crypto-Loot is advertised to run secretly in the background while protected from DDoS attacks by Cloudflare.

Crypto-Loot uses two domain names for their cryptojacking operations:
crypto-loot.com
cryptoloot.pro

These domains can be queried in PublicWWW to locate the affected sites, and similar to the Coinhive, we can use regex to extract the site key used in each using this query: “CryptoLoot.Anonymous” snipexp:|CryptoLoot.Anonymous\(‘?(\w{44})’|i

PublicWWW search for  "CryptoLoot.Anonymous" snipexp:|CryptoLoot.Anonymous\('?(\w{44})'|i

Searching for strictly the two domains used, we find a total of 2,057 sites with Crypto-Loot present.

CoinImp

CoinImp is a relatively new player in the cryptojacking game, however a large increase in the number of sites where it has been seen has been found recently.

CoinImp uses four domain names for their cryptojacking operations:
coinimp.com
www.hashing.win
www.freecontent.bid
webassembly.stream

Interestingly, the reference to “www.hashing.win” previously found in CoinImp’s documentation was quietly removed sometime after 2017-12-20 and replaced with “www.freecontent.bid” as the illustrative example.

Screenshot captured of CoinImp's documentation page on 2017-12-20.
Screenshot captured of CoinImp’s documentation page on 2017-12-20.

Coincidentally, the most used CoinImp domain name, www.hashing.win, has been found by PublicWWW on a whopping 3,745 sites.

PublicWWW search for www.hashing.win

Since this was surprising number, I manually reviewed numerous sites and found that CoinImp had already been removed or another form of cryptojacking malware, such as Coinhive, had been placed. This leads me to believe the cryptojacking campaign perpetrator was using a short-lived method to place the CoinImp code.

Totaling the four CoinImp domain names used, we find a total of 4,119 sites.

Minr

Early in December 2017, I discovered a new form of cryptojacking malware called Minr. What differentiated this from the others is that it provided built-in obfuscation for its users. This wasn’t required however and many sites I found didn’t bother to use it.

Example site containing Minr malware
Example of a site containing Minr malware.

In addition, the domain names used by Minr were innocuous looking. The domain names also frequently changed, so anytime I shared an update it quickly became out of date.

Minr malware domains used on 2018-01-29

The domains used by Minr a week ago (shown above) have again have changed.

As of this writing, the active domains used by Minr in cryptojacking operations are:
cnt.statistic.date
cdn.static-cnt.bid
ad.g-content.bid
cdn.jquery-uim.download

Totaling the four Minr domain names currently used today, we find a total of 692 sites.

deepMiner

Unlike the other cryptojacking providers, deepMiner is self-hosted JavaScript. This means the code used to mine cryptocurrency is not hosted by a third-party service provider and instead placed directly on the website or domain controlled by the cryptojacking campaign operator. The repository of deepMiner’s source code can be found on GitHub.

While this might appear to be a roadblock in our search for sites containing, deepMiner, there is still a way to locate it. The secret in locating deepMiner lies in locating the function required for it to run, shown in the snippet below:

deepMiner code snippet

Now that we have this information, we can simply search PublicWWW for “deepMiner.Anonymous” to locate the affected websites.

PublicWWW search for "deepMiner.Anonymous"

This leads us to find 2,160 sites using deepMiner for cryptojacking purposes.

One site I found using deepMiner was a fake Chrome update website that advised users not to close the page. Meanwhile cryptojacking was happening in the background consuming 100% CPU of my test machine.

Fake Chrome update website running deepMiner malware
No, Chrome really isn’t updating.

Statistics Comparison

Coinhive remains the market leader for cryptojacking malware. However, many clones it inspired are showing exponential growth rates.

Websites found running Crypto-Loot, CoinImp, deepMiner, and Minr malware.

The four Coinhive clones discussed were found on a total of 9,028 websites. CoinImp had the largest market share at roughly 45% while Minr had the smallest at nearly 8%. Crypto-Loot and deepMiner shared the remaining portions at nearly 23% a piece.

Websites found running Coinhive and other cryptojacking malware.

However when compared to Coinhive by itself, the other cryptojacking malware providers only account for a modest 18% market share. I would expect Coinhive to remain in the top spot for the foreseeable future.

Closing Remarks

Coinhive is clearly the market leader when it comes to cryptojacking malware as it’s been found on nearly 40,000 websites.

For Chrome users, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware. A Firefox version of this extension is available as well.

The cryptojacking malware discussed in this post is only a portion of what’s currently found in the wild. New variants are discovered frequently, which I share frequently on Twitter. You can also browse the CoinBlockerLists, which is constantly updated by ZeroDot1, where you can find hundreds of domains tied to cryptojacking malware.

The statistics shared in this post were generated from data provided by PublicWWW on 2018-02-07. They are subject to change as PublicWWW regularly updates their index.

8 Replies to “How to find cryptojacking malware”

  1. It saddens me how in-browser mining is called malware even when it’s not malicious nor is used at any point unless specified by the user.

    1. False, cryptojacking does not involve user consent. That’s the whole point. It runs surreptitiously in the background.

Leave a Reply