courtesy of bleepingcomputer.com
Unfortunately, it has also become very clear that a number of less reputable sites intend to leverage coinhive for the purposes of "drive-by mining", a term coined by Jerome Segura (@Malwarebytes) in a recent post entitled 'Drive-by mining and ads: The Wild Wild West'.
The NetWitness screenshot below provides a clear example of drive-by mining in the response during the initial connection to a streaming video site, sledujserialy[.]sk (hosted at 104.31.74[.]41).
Near the bottom of this screenshot, note the tell-tale 'coinhive.min.js' representative of Monero mining activity.
The challenge from a NetWitness visibility perspective comes after this initial connection, where SSL encryption takes over. While we do not believe this to be a ever-present indicator, we did note 'coin-hive.com' in the SSL Subject meta data field.
To further understand the scope of drive-by mining abuse, let's take a look at coin-hive.com related SSL certificates in Censys, and please note the warning that many of the thousands of results could be potentially fake.
When we limit the search Censys for "parsed.names: coin-hive.com" as suggested, there is a dramatic drop in the number of SSL certificates returned. This seems like a rather large delta, which speaks to the potential volume of other coin-hive centric projects being developed and deployed across the Internet.
Thanks to Ahmed Sonbol for his contributions to this research.