Over the past several months, RSA FirstWatch has been avidly tracking the rise of crypto-currency mining.  Most of our early research here focused on the malicious delivery of mining software to victim machines, e.g. our recent work against Monero mining.  However, the recent introduction of javascript-based miners has fundamentally shifted the role mining may play across the Internet.

"Coinhive offers a JavaScript (node.js) miner for the Monero Blockchain that you can embed in your website. Your users run the miner directly in their Browser and mine XMR for you in turn for an ad-free experience, in-game currency or whatever incentives you can come up with".  This is a legitimate capability that we expect to see gain significant traction (over ads in many cases) across all types of verticals that rely on web-presence.  Take for example Showtime's recent use of Monero miners, the exact intent of which still remains a bit unclear. 

courtesy of bleepingcomputer.com 

Unfortunately, it has also become very clear that a number of less reputable sites intend to leverage coinhive for the purposes of "drive-by mining", a term coined by Jerome Segura (@Malwarebytes) in a recent post entitled 'Drive-by mining and ads: The Wild Wild West'.

The NetWitness screenshot below provides a clear example of drive-by mining in the response during the initial connection to a streaming video site, sledujserialy[.]sk (hosted at 104.31.74[.]41).

Near the bottom of this screenshot, note the tell-tale 'coinhive.min.js' representative of Monero mining activity.

The challenge from a NetWitness visibility perspective comes after this initial connection, where SSL encryption takes over.  While we do not believe this to be a ever-present indicator, we did note 'coin-hive.com' in the SSL Subject meta data field.

Our sample domain wasn't the only service demonstrated activity of this type though; Bad Packets report on Twitter led us to a quick Censys search for 'coinhive.min.js', which reveals more than 1,000 services currently using this javascript library.  

To further understand the scope of drive-by mining abuse, let's take a look at coin-hive.com related SSL certificates in Censys, and please note the warning that many of the thousands of results could be potentially fake.

When we limit the search Censys for "parsed.names: coin-hive.com" as suggested, there is a dramatic drop in the number of SSL certificates returned.  This seems like a rather large delta, which speaks to the potential volume of other coin-hive centric projects being developed and deployed across the Internet.

FirstWatch anticipates that customers will likely see a significant increase in mining and specifically in-browser mining activity such as coin-hive in the months to come.  A preliminary list of sites using coinhive javascript to actively mine monero can be found at Coin-Hive.com Enabled Sites Mining for Monero - Pastebin.com.

Thanks to Ahmed Sonbol‌ for his contributions to this research.