Posted: 6 Min ReadThreat Intelligence

Browser-based coin mining without a browser?

Malware launches a web-based cryptocurrency miner without any visible sign of a browser being used.

Browser-based cryptocurrency mining is making a lot of headlines recently and is affecting millions of users. This type of activity doesn’t take over your computer or steal your personal information, instead its goal is to use your CPU cycles to earn money. As covered in our previous cryptocurrency mining blog, browser-based mining activity exploded in the last few months of 2017. While this type of coin mining can be done in a legitimate way, where the user is informed and consent given for the mining taking place, it is illegitimate mining that concerns us.

So far we’ve seen JavaScript and also WebAssembly (WASM) files being used for browser-based mining, but what’s next? How about browser-based coin mining that doesn’t involve a browser being opened? While this may sound strange, we recently came across a case where this method was being used. The case involved a portable executable file launching a web-based coinminer script to begin mining for cryptocurrency. Let’s take a closer look.

How it works

The file in question is a .net executable file (0x231a3fbbc025c659be407c316aba4392f8a13915f08580398bca21082723dbf8), and .net executable files can contain various element to define different resources used by the executable. One of the resources defined within the resource section of this executable defines a user interface window (aka a form) named Form1. When we looked closer at the code that defines this form, we saw that it contained a script tag that references the Coinhive in-browser mining script, which is a clue to what this executable might do.

Figure 1. Resource section referencing the Coinhive mining script from within a form contained in the .net executable
Figure 1. Resource section referencing the Coinhive mining script from within a form contained in the .net executable

Figure 1 shows that the JavaScript contains a reference to hxxps://coinhive[.]com/lib/miner.min.js and we already know that the Coinhive script is used for browser-based coin mining. This made us wonder what this JavaScript was doing in a PE file, so we dug a little deeper and found that it used some rather interesting techniques.

The first thing we noticed after executing the file was that while mining was taking place and the Coinhive website was being visited, we didn’t see any browser running in the background. So how exactly is this JavaScript executed?

This WebBrowser class enables the malware to navigate web pages inside the form and, as long as the form remains hidden, there will not be any visible cues that a browser is running.

We can see in Figure 2 that a component resource manager is created of type Form1. We saw earlier how the Coinhive script is referenced in the code of Form1. The TextBox1.Text string of Form1 contains the JavaScript shown in Figure 1, which is responsible for the coin-mining activity. Also, a class named WebBrowser1 is created of WebBrowser class. This WebBrowser class enables the malware to navigate web pages inside the form and, as long as the form remains hidden, there will not be any visible cues that a browser is running.

Figure 2. Code that loads the Coinhive mining script into a WebBrowser object to begin mining
Figure 2. Code that loads the Coinhive mining script into a WebBrowser object to begin mining

In Figure 3 we can see that the Webrowser1.DocumentText property of the WebBrowser class is given the value of TextBox1.Text, which is the JavaScript in the resource section responsible for coin mining.

Figure 3. Code that refers to the JavaScript responsible for coin mining
Figure 3. Code that refers to the JavaScript responsible for coin mining

This DocumentText property of the WebBrowser class manipulates the contents of an HTML page displayed in the WebBrowser control using string processing tools. This means that the Navigating, Navigated, and DocumentCompleted events occur when this property is set, and the value of the URL property is no longer meaningful so will be ignored. Instead, the DocumentText property is loaded by the browser object which causes the coin-mining script to run. This gives the effect of running web browser based functionality but without a browser to be seen.

To make sure that the mining restarts after each reboot, the originally executed PE file is also added to the Startup folder with the name windata0.exe.

Tell-tale signs of browser mining

The usual tell-tale sign of browser-based coin mining is a sudden, unexpected and sustained ramp up in CPU activity. This usually manifests itself as sluggishness in the computer’s performance. When these symptoms are encountered while browsing the internet, a user might suspect that browser mining is taking place. But with an executable based browser miner, like the one discussed in this blog, the user won’t see any browser windows open so may not suspect the slowdown to be a symptom of coin mining and may, for example, blame installed software for the problem.

However, using some simple tools allows us to see what’s responsible for maxing out the CPU. Using Windows Task Manager we can confirm the CPU load on the computer and, with some additional system analysis tools, we can see a number of network connections being made to coinhive.com, which confirms the presence of a miner using Coinhive scripts.

Figure 4. Signs that can confirm the presence of cryptocurrency mining activity on a computer
Figure 4. Signs that can confirm the presence of cryptocurrency mining activity on a computer

We can also capture WebSocket traffic using network analysis tools and see the traffic sent between the miner and the server, which may include calculated hashes sent to the mining pool while the mining code is running.

Figure 5. Captured network traffic showing communications between mining script and mining pool server
Figure 5. Captured network traffic showing communications between mining script and mining pool server

Detection of browser-based mining activity remains high

As already mentioned, browser-based miners became quite prevalent in the last few months of 2017. We can see the percentage change when looking at our network protection telemetry.

Figure 6. Month by month percentage change in browser based mining activity
Figure 6. Month by month percentage change in browser based mining activity

Even with the recent large drops in cryptocurrency values since late January, incidents of browser-based cryptocurrency mining remains high.

As we have seen in this blog, the criminals behind illegitimate mining continue to find new ways to highjack their victims’ processing power in order to enrich themselves. Symantec will continue to monitor their activities and respond in kind.

Protection

Intrusion Prevention System (IPS)

Signatures related to browser-based miners:

Antivirus

About the Author

Aishwarya Lonkar

Threat Analysis Engineer

Aishwarya Lonkar is a Threat Analysis Engineer on the Intrusion Prevention System (IPS) team. Her work involves analyzing the latest threats, including their behavior and network activity, and creating signatures for various Symantec products.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.