APNIC, profile picture
Uploaded byAPNIC
PPTX, PDF2,208 views

PacNOG 23: Introduction to Crypto Jacking

The document provides an overview of cryptojacking, highlighting its definition as the unauthorized use of computing resources to mine cryptocurrencies without consent. It discusses various web-based coin miners, cryptomining malware, and mitigation techniques to protect against such threats. The content also includes resources for identifying and blocking cryptojacking activities.

Embed presentation

Downloaded 37 times
1 Introduction to Crypto Jacking Warren Finch PacNOG 23 - 3rd Dec 2018 Marshall Islands
Agenda • Web based coin miners • What is cryptojacking • Are all cryptominers bad? • Cryptomining malware • Mitigation techniques 2
18th Apr 2014 Monero Cryptocurrency released Timeline 3 https://arxiv.org/pdf/1803.02887.pdf - accessed 15th Nov 2018 2014 20182017 14th Sep 2017 Coinhive Miner launched 16th Oct 2017 Coinhive launches AuthedMine 11th Feb 2018 UK Information Commissioner’s Office Incident Sep 2018 Webcobra Malware discovered
Web based coin miners 5 https://alternativeto.net/software/coinhive/ - accessed 9th Nov 2018 Name URL Coinhive https://coinhive.com AuthedMine https://authedmine.com Coin-Have https://coin-have.com CoinImp https://www.coinimp.com/ Minexmr.stream https://minexmr.stream JSECoin https://jsecoin.com/ Adless https://www.adless.io/ Crypto-loot https://crypto-loot.com GridCash https://gridcash.net/ CryptoNoter https://github.com/cryptonoter
Web based coin miners 6 https://alternativeto.net/software/coinhive/ - accessed 9th Nov 2018 Name URL Coinhive https://coinhive.com AuthedMine https://authedmine.com Coin-Have https://coin-have.com CoinImp https://www.coinimp.com/ Minexmr.stream https://minexmr.stream JSECoin https://jsecoin.com/ Adless https://www.adless.io/ Crypto-loot https://crypto-loot.com GridCash https://gridcash.net/ CryptoNoter https://github.com/cryptonoter
What is Crypto Jacking 7 https://www.enisa.europa.eu/publications/info-notes/images_info_notes/cryptojacking.jpg
What is Crypto Jacking • The unauthorized use of computing resources to mine cryptocurrencies. • Using malicious tools designed to hijack vulnerable systems to mine for cryptocurrency in the background using crypto mining software without the consent or knowledge of the victims. • The technique of hijacking browsers for mining cryptocurrency (without user consent). 8
Are all crypto miners bad? 10 https://www.stfx.ca/about/news/stfx-systems-update-0 - accessed 8th Nov 2018
Are all crypto miners bad? 11 https://www.itnews.com.au/news/unicef-australia-tries-in-browser-cryptocurrency-mining-489884 - accessed 9th Nov 2018
Cryptomining malware • Leaked EternalBlue and DoublePulsar exploits are used to infect vulnerable windows servers and PCs. • Oracle’s WebLogic Server (CVE-2017-10271) flaw was also used to deliver miners onto servers. • Malware families distributed via malicious spam attachments, now have a coin miner module. • Android and Mac users are infected by trojanised apps laced with mining code. 16
Crypto-mining malware detections in 2017 17 11703 11714 13630 12654 12070 12776 15042 15698 24798 116361 77185 77242 0 20000 40000 60000 80000 100000 120000 140000 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-2018-new-menace/ - accessed 9th Nov 2018
Javascript – Coinhive 19 https://coinhive.com – accessed 9th Nov 2018
Javascript – AuthedMine captcha 20 https://coinhive.com – accessed 9th Nov 2018
Locating sites with a coinhive script • https://publicwww.com/websites/"coinhive.min.js"/ 21 accessed 9th Nov 2018
Locating devices with a coinhive script • https://www.shodan.io/search?query=coinhive.min.js 22 accessed 9th Nov 2018
Locating devices with a coinhive script • https://www.shodan.io/search?query=coinhive.min.js 23 accessed 9th Nov 2018
Cryptomining in action 28 https://www.thehopepage.org
Chrome Task Manager • Open the Chrome Task Manager by using the Shift+ESC keyboard combination • Or from the Chrome menu, then More Tools, and then Chrome Task Manager. 29
End user protection • Use the Task Manager (Windows) or Activity Monitor (Mac OS X) • Disable JavaScript in the browser • Browser extensions like “No Coin” are available on Google Chrome and Firefox. Opera has it enabled by default. • Install third-party malware detection and anti-virus software • Update and patch software 30
Opera 31
Network protection • Check vendor advisories and recommendations • Update firewall rules • Update Intrusion Detection System (IDS) rules • Update and Patch all systems • Block known crypto miner domains – https://gitlab.com/ZeroDot1/CoinBlockerLists – https://zerodot1.gitlab.io/CoinBlockerListsWeb/downloads.html – http://iplists.firehol.org 32
Confirm if site is on block list 36 https://malware-research.org/coinblockerlists/
VirusTotal • Use the search feature to find information about a threat • Search term – fba937ffc0291601_sdat.exe 39 https://www.virustotal.com/en/file/fba937ffc0291601b7b03548dac94ef6f321077b96ec561c9f595fb71fc50ccb/analysis/1504908698/
YARA – pattern matching for Malware 40 https://virustotal.github.io/yara/ - accessed 16th Nov 2018
Any questions? 45

More Related Content

PDF
Windows logging cheat sheet
byMichael Gough
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPTX
What is Cryptojacking and How Can I Protect Myself?
byGlobal Knowledge Training
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PPT
Phishing attacks ppt
byAryan Ragu
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PPTX
Email phishing and countermeasures
byJorge Sebastiao
 
PPTX
Penetration testing reporting and methodology
byRashad Aliyev
 
Windows logging cheat sheet
byMichael Gough
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
What is Cryptojacking and How Can I Protect Myself?
byGlobal Knowledge Training
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Phishing attacks ppt
byAryan Ragu
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
Email phishing and countermeasures
byJorge Sebastiao
 
Penetration testing reporting and methodology
byRashad Aliyev
 

What's hot

PDF
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
byMichael Gough
 
PPT
Phishing
byanjalika sinha
 
PPTX
Cryptojacking
byXnews
 
PPTX
Phishing attack, with SSL Encryption and HTTPS Working
bySachin Saini
 
PPTX
Password Cracking
bySagar Verma
 
PPT
Phishing
byAlka Falwaria
 
PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PPTX
Introduction to Malware Analysis
byAndrew McNicol
 
PPTX
Brute force-attack presentation
byMahmoud Ibra
 
PPTX
Social engineering-Attack of the Human Behavior
byJames Krusic
 
PDF
Vulnerability Management
byasherad
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PDF
Broken access controls
byAkansha Kesharwani
 
PPTX
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
PPTX
Phishing Attacks
byJagan Mohan
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PDF
Social engineering attacks
byRamiro Cid
 
PPTX
Cyber attacks and IT security management in 2025
byRadar Cyber Security
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
SIEM and Threat Hunting
byn|u - The Open Security Community
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
byMichael Gough
 
Phishing
byanjalika sinha
 
Cryptojacking
byXnews
 
Phishing attack, with SSL Encryption and HTTPS Working
bySachin Saini
 
Password Cracking
bySagar Verma
 
Phishing
byAlka Falwaria
 
Threat hunting for Beginners
bySKMohamedKasim
 
Introduction to Malware Analysis
byAndrew McNicol
 
Brute force-attack presentation
byMahmoud Ibra
 
Social engineering-Attack of the Human Behavior
byJames Krusic
 
Vulnerability Management
byasherad
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
Broken access controls
byAkansha Kesharwani
 
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
Phishing Attacks
byJagan Mohan
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Social engineering attacks
byRamiro Cid
 
Cyber attacks and IT security management in 2025
byRadar Cyber Security
 
Malware analysis
byPrakashchand Suthar
 
SIEM and Threat Hunting
byn|u - The Open Security Community
 

Similar to PacNOG 23: Introduction to Crypto Jacking

PPTX
CryptoJacking and Security: Evolution of a Hack
byBryan Becker
 
PPTX
Cryptojacking - by Vishwaraj101
byv_raj
 
PDF
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...
byeraser Juan José Calderón
 
PDF
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
byDigital Transformation EXPO Event Series
 
PPTX
Crypto Miners in the Cloud
by2nd Sight Lab
 
PPTX
CoinMiners are Evasive - BsidesTLV
byThomas Roccia
 
PDF
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
byIRJET Journal
 
PPTX
Cyber security crypto blockchain Version 3.2
byJorge Sebastiao
 
PPTX
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
byBeau Bullock
 
PDF
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
byBeau Bullock
 
PPTX
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
byJay Beale
 
PPTX
Blockchain & cyber security Algeria Version 1.1
byJorge Sebastiao
 
PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
byOWASP
 
PPTX
Hacking blockchain
byJose L. Quiñones-Borrero
 
PPTX
Crytomining hacking
byCis siva
 
PPTX
ISTR 23: Internet Security Threat Report
bySymantec Security Response
 
PDF
2. cyber crime series - crypto currency theft
byIsaac Feliciano
 
PDF
Coinpunk - Enemy of the Banks
byKyle Drake
 
PPTX
CRYPTOJACKING cyber security information technology.pptx
bybenjiedeguzman0512
 
PPTX
ITPG Secure on WannaCry
byITPG Secure Compliance and Certification Training
 
CryptoJacking and Security: Evolution of a Hack
byBryan Becker
 
Cryptojacking - by Vishwaraj101
byv_raj
 
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...
byeraser Juan José Calderón
 
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
byDigital Transformation EXPO Event Series
 
Crypto Miners in the Cloud
by2nd Sight Lab
 
CoinMiners are Evasive - BsidesTLV
byThomas Roccia
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
byIRJET Journal
 
Cyber security crypto blockchain Version 3.2
byJorge Sebastiao
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
byBeau Bullock
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
byBeau Bullock
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
byJay Beale
 
Blockchain & cyber security Algeria Version 1.1
byJorge Sebastiao
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
byOWASP
 
Hacking blockchain
byJose L. Quiñones-Borrero
 
Crytomining hacking
byCis siva
 
ISTR 23: Internet Security Threat Report
bySymantec Security Response
 
2. cyber crime series - crypto currency theft
byIsaac Feliciano
 
Coinpunk - Enemy of the Banks
byKyle Drake
 
CRYPTOJACKING cyber security information technology.pptx
bybenjiedeguzman0512
 
ITPG Secure on WannaCry
byITPG Secure Compliance and Certification Training
 

More from APNIC

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
PDF
Make DDoS expensive for the threat actors
byAPNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
Make DDoS expensive for the threat actors
byAPNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 

PacNOG 23: Introduction to Crypto Jacking

  • 1.
    1 Introduction to CryptoJacking Warren Finch PacNOG 23 - 3rd Dec 2018 Marshall Islands
  • 2.
    Agenda • Web basedcoin miners • What is cryptojacking • Are all cryptominers bad? • Cryptomining malware • Mitigation techniques 2
  • 3.
    18th Apr 2014 MoneroCryptocurrency released Timeline 3 https://arxiv.org/pdf/1803.02887.pdf - accessed 15th Nov 2018 2014 20182017 14th Sep 2017 Coinhive Miner launched 16th Oct 2017 Coinhive launches AuthedMine 11th Feb 2018 UK Information Commissioner’s Office Incident Sep 2018 Webcobra Malware discovered
  • 4.
    Web based coinminers 5 https://alternativeto.net/software/coinhive/ - accessed 9th Nov 2018 Name URL Coinhive https://coinhive.com AuthedMine https://authedmine.com Coin-Have https://coin-have.com CoinImp https://www.coinimp.com/ Minexmr.stream https://minexmr.stream JSECoin https://jsecoin.com/ Adless https://www.adless.io/ Crypto-loot https://crypto-loot.com GridCash https://gridcash.net/ CryptoNoter https://github.com/cryptonoter
  • 5.
    Web based coinminers 6 https://alternativeto.net/software/coinhive/ - accessed 9th Nov 2018 Name URL Coinhive https://coinhive.com AuthedMine https://authedmine.com Coin-Have https://coin-have.com CoinImp https://www.coinimp.com/ Minexmr.stream https://minexmr.stream JSECoin https://jsecoin.com/ Adless https://www.adless.io/ Crypto-loot https://crypto-loot.com GridCash https://gridcash.net/ CryptoNoter https://github.com/cryptonoter
  • 6.
    What is CryptoJacking 7 https://www.enisa.europa.eu/publications/info-notes/images_info_notes/cryptojacking.jpg
  • 7.
    What is CryptoJacking • The unauthorized use of computing resources to mine cryptocurrencies. • Using malicious tools designed to hijack vulnerable systems to mine for cryptocurrency in the background using crypto mining software without the consent or knowledge of the victims. • The technique of hijacking browsers for mining cryptocurrency (without user consent). 8
  • 8.
    Are all cryptominers bad? 10 https://www.stfx.ca/about/news/stfx-systems-update-0 - accessed 8th Nov 2018
  • 9.
    Are all cryptominers bad? 11 https://www.itnews.com.au/news/unicef-australia-tries-in-browser-cryptocurrency-mining-489884 - accessed 9th Nov 2018
  • 11.
    Cryptomining malware • LeakedEternalBlue and DoublePulsar exploits are used to infect vulnerable windows servers and PCs. • Oracle’s WebLogic Server (CVE-2017-10271) flaw was also used to deliver miners onto servers. • Malware families distributed via malicious spam attachments, now have a coin miner module. • Android and Mac users are infected by trojanised apps laced with mining code. 16
  • 12.
    Crypto-mining malware detectionsin 2017 17 11703 11714 13630 12654 12070 12776 15042 15698 24798 116361 77185 77242 0 20000 40000 60000 80000 100000 120000 140000 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-2018-new-menace/ - accessed 9th Nov 2018
  • 13.
  • 14.
    Javascript – AuthedMinecaptcha 20 https://coinhive.com – accessed 9th Nov 2018
  • 15.
    Locating sites witha coinhive script • https://publicwww.com/websites/"coinhive.min.js"/ 21 accessed 9th Nov 2018
  • 16.
    Locating devices witha coinhive script • https://www.shodan.io/search?query=coinhive.min.js 22 accessed 9th Nov 2018
  • 17.
    Locating devices witha coinhive script • https://www.shodan.io/search?query=coinhive.min.js 23 accessed 9th Nov 2018
  • 18.
  • 19.
    Chrome Task Manager •Open the Chrome Task Manager by using the Shift+ESC keyboard combination • Or from the Chrome menu, then More Tools, and then Chrome Task Manager. 29
  • 20.
    End user protection •Use the Task Manager (Windows) or Activity Monitor (Mac OS X) • Disable JavaScript in the browser • Browser extensions like “No Coin” are available on Google Chrome and Firefox. Opera has it enabled by default. • Install third-party malware detection and anti-virus software • Update and patch software 30
  • 21.
  • 22.
    Network protection • Checkvendor advisories and recommendations • Update firewall rules • Update Intrusion Detection System (IDS) rules • Update and Patch all systems • Block known crypto miner domains – https://gitlab.com/ZeroDot1/CoinBlockerLists – https://zerodot1.gitlab.io/CoinBlockerListsWeb/downloads.html – http://iplists.firehol.org 32
  • 23.
    Confirm if siteis on block list 36 https://malware-research.org/coinblockerlists/
  • 24.
    VirusTotal • Use thesearch feature to find information about a threat • Search term – fba937ffc0291601_sdat.exe 39 https://www.virustotal.com/en/file/fba937ffc0291601b7b03548dac94ef6f321077b96ec561c9f595fb71fc50ccb/analysis/1504908698/
  • 25.
    YARA – patternmatching for Malware 40 https://virustotal.github.io/yara/ - accessed 16th Nov 2018
  • 26.

Editor's Notes

  • #4 https://arxiv.org/pdf/1803.02887.pdf
  • #5 https://arxiv.org/pdf/1803.02887.pdf
  • #6 https://alternativeto.net/software/coinhive/
  • #7 https://alternativeto.net/software/coinhive/ https://www.virustotal.com/en/url/b6b6242a9507fcfaa11c49790e2bcb4334c03b086c87876dfd045cf02094148c/analysis/ https://urlscan.io/result/9096fd49-0a67-463f-8db4-6f362e401138
  • #8 https://www.enisa.europa.eu/publications/info-notes/images_info_notes/cryptojacking.jpg https://www.enisa.europa.eu/publications/info-notes/cryptojacking-cryptomining-in-the-browser
  • #9 https://news.softpedia.com/news/bitcoin-cryptojacking-attack-forces-university-to-disable-entire-network-523646.shtml
  • #10 https://www.stfx.ca/about/news/stfx-systems-update-0 https://news.softpedia.com/news/bitcoin-cryptojacking-attack-forces-university-to-disable-entire-network-523646.shtml
  • #11 https://www.stfx.ca/about/news/stfx-systems-update-0 https://news.softpedia.com/news/bitcoin-cryptojacking-attack-forces-university-to-disable-entire-network-523646.shtml
  • #12 https://www.itnews.com.au/news/unicef-australia-tries-in-browser-cryptocurrency-mining-489884 https://www.thehopepage.org
  • #13 https://twitter.com/Scott_Helme/status/962684239975272450/photo/1?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E962684239975272450&ref_url=https%3A%2F%2Fthenextweb.com%2Fsecurity%2F2018%2F02%2F12%2Fgovernment-websites-quietly-running-cryptocoin-mining-scripts%2F https://www.ncsc.gov.uk/news/ncsc-statement-malware-being-used-illegally-mine-cryptocurrency https://nakedsecurity.sophos.com/2018/02/12/cryptomining-script-poisons-government-websites-what-to-do/ https://thenextweb.com/security/2018/02/12/government-websites-quietly-running-cryptocoin-mining-scripts/ https://techcrunch.com/2018/02/12/browsealoud-coinhive-monero-mining-hack/
  • #14 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
  • #15 https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/ https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/over-200-000-mikrotik-routers-compromised-in-cryptojacking-campaign Known as CVE-2018-14847 the security flaw in MikroTik routers is being exploited with a view of installing the Coinhive cryptocurrency mining script in websites that users of the devices visit. https://www.ccn.com/monero-cryptomining-attack-affects-over-200000-isp-grade-routers-globally/ https://www.zdnet.com/article/how-much-does-the-pirate-bays-cryptocurrency-miner-make/ https://www.bleepingcomputer.com/news/security/cryptojackers-found-on-starbucks-wifi-network-github-pirate-streaming-sites/
  • #16 https://isc.sans.org/forums/diary/Crypto+Mining+in+a+Windows+Headless+Browser/24078/ https://steemit.com/mining/@ttox/headless-browser-mining
  • #17 https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/ https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/ https://publicwww.com/websites/"coinhive.min.js"/
  • #18 Cryptocurrency-mining malware detections in 2017 (based on Trend Micro Smart Protection Network) https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-2018-new-menace/
  • #19 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sep-2018.pdf
  • #20 https://coinhive.com/documentation/miner#constructor-options
  • #22 https://badpackets.net/how-to-find-cryptojacking-malware/ Coinhive Search term = "coinhive.min.js" URL = https://publicwww.com/websites/"coinhive.min.js"/ Returned results = 13884 AuthedMine Search term = authedmine && "captcha.min.js" URL = https://publicwww.com/websites/authedmine+%26%26+"captcha.min.js"/ Returned results = 272   https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/ Search Term = "navigator['hardwareConcurrency’]” URL = https://publicwww.com/websites/"navigator%5B%27hardwareConcurrency%27%5D"/ Returned results = 1665
  • #23 https://badpackets.net/how-to-find-cryptojacking-malware/ Coinhive Search term = "coinhive.min.js" URL = https://publicwww.com/websites/"coinhive.min.js"/ Returned results = 13884 AuthedMine Search term = authedmine && "captcha.min.js" URL = https://publicwww.com/websites/authedmine+%26%26+"captcha.min.js"/ Returned results = 272   https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/ Search Term = "navigator['hardwareConcurrency’]” URL = https://publicwww.com/websites/"navigator%5B%27hardwareConcurrency%27%5D"/ Returned results = 1665
  • #24 https://badpackets.net/how-to-find-cryptojacking-malware/ Coinhive Search term = "coinhive.min.js" URL = https://publicwww.com/websites/"coinhive.min.js"/ Returned results = 13884 AuthedMine Search term = authedmine && "captcha.min.js" URL = https://publicwww.com/websites/authedmine+%26%26+"captcha.min.js"/ Returned results = 272   https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/ Search Term = "navigator['hardwareConcurrency’]” URL = https://publicwww.com/websites/"navigator%5B%27hardwareConcurrency%27%5D"/ Returned results = 1665
  • #25 https://badpackets.net/how-to-find-cryptojacking-malware/ Coinhive Search term = "coinhive.min.js" URL = https://publicwww.com/websites/"coinhive.min.js"/ Returned results = 13884 AuthedMine Search term = authedmine && "captcha.min.js" URL = https://publicwww.com/websites/authedmine+%26%26+"captcha.min.js"/ Returned results = 272   https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/ Search Term = "navigator['hardwareConcurrency’]” URL = https://publicwww.com/websites/"navigator%5B%27hardwareConcurrency%27%5D"/ Returned results = 1665
  • #26 https://badpackets.net/how-to-find-cryptojacking-malware/ Coinhive Search term = "coinhive.min.js" URL = https://publicwww.com/websites/"coinhive.min.js"/ Returned results = 13884 AuthedMine Search term = authedmine && "captcha.min.js" URL = https://publicwww.com/websites/authedmine+%26%26+"captcha.min.js"/ Returned results = 272   https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/ Search Term = "navigator['hardwareConcurrency’]” URL = https://publicwww.com/websites/"navigator%5B%27hardwareConcurrency%27%5D"/ Returned results = 1665
  • #27 https://badpackets.net/how-to-find-cryptojacking-malware/ Coinhive Search term = "coinhive.min.js" URL = https://publicwww.com/websites/"coinhive.min.js"/ Returned results = 13884 AuthedMine Search term = authedmine && "captcha.min.js" URL = https://publicwww.com/websites/authedmine+%26%26+"captcha.min.js"/ Returned results = 272   https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/ Search Term = "navigator['hardwareConcurrency’]” URL = https://publicwww.com/websites/"navigator%5B%27hardwareConcurrency%27%5D"/ Returned results = 1665
  • #28 https://www.wandera.com/cryptojacking-mobile-threat/
  • #29 https://www.wandera.com/cryptojacking-mobile-threat/
  • #30 https://www.bleepingcomputer.com/news/security/using-the-chrome-task-manager-to-find-in-browser-miners/
  • #31 https://blog.malwarebytes.com/101/2018/02/how-to-protect-your-computer-from-malicious-cryptomining/
  • #33 https://community.sophos.com/kb/en-us/127988
  • #34 https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html
  • #35 https://security.berkeley.edu/services/network-intrusion-detection-systems/getting-more-information-about-isp-snort-rules Install snort Log into snort.org and find snippet to update snort Download and extract update Search for SID 44692 SID: 44692 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"decodeURIComponent"; fast_pattern:only; content:"function"; nocase; content:"function"; within:50; nocase; content:"split"; within:200; content:"charCodeAt"; within:200; content:"push"; within:200; content:"charAt"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-attack; sid:44692; rev:1;)
  • #36 ####### Update Snort ####### snort --version cd ~/Downloads/ https://www.snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz?oinkcode=99a52bae5af6ff719d3ecb5fdf97a6d0f618ee76 mkdir snort cd snort tar -xvf ../snortrules-snapshot-2990.tar.gz sudo mv etc /etc/snort sudo mv rules /etc/snort/rules sudo service snort restart sudo /etc/init.d/snort restart
  • #38 Get-ExecutionPolicy Set-ExecutionPolicy remotesigned
  • #39 https://youtu.be/4DjHNtKWkes
  • #40 https://www.virustotal.com/en/file/fba937ffc0291601b7b03548dac94ef6f321077b96ec561c9f595fb71fc50ccb/analysis/1504908698/
  • #41 https://virustotal.github.io/yara/
  • #45 A first look at in browser Crypto Mining - https://arxiv.org/pdf/1803.02887.pdf