Legitimate cryptomining programs ask users for permission to run. Malicious versions don’t, opting instead to quietly leach a computer’s resources. SophosLabs is seeing more of the latter variety, with a new twist:
Instead of showing up as executable files, they take the form of scripts hidden on websites, mining for cryptocurrency in the browser. Visitors to these sites see no evidence of the mining. The only clues that something may be amiss are their computer slowing down and their fans revving up.
A clear example of this is Coinhive, a Monero miner that first appeared in mid-September. The number of sites hiding it has steadily increased in recent weeks, as cryptocurrency values have taken a wild trajectory skyward.
Given their parasitic nature, Sophos has decided to start tagging Coinhive and other JavaScript-based cryptominers as malware to be blocked when users stumble upon a site harboring them.
Sophos CTO Joe Levy explains why:
Our position is that when this software is run in any user’s browser without an organization’s consent, it is parasitic, and should be considered malware because we don’t have something called parasiteware today. In instances where an organization really wants to donate its CPU/GPU cycles, and where the mining operation has gone to sufficient lengths to enable vendors like us to easily differentiate between consensual and non-consensual versions, then we can have a discussion about different classifications.
Cryptomining takes a sinister turn
Cryptomining is a process used to discover Bitcoin, Monero, and such other cryptocurrencies as Ethereum and Litecoin. It requires massive amounts of computer processing power, which slows down performance and leaves wear and tear.
This wasn’t always a problem because the activity was largely limited to those who chose to do it. That began to change as cryptocurrency prices skyrocketed. A single Bitcoin was worth $1000 at the start of 2017 and was valued at around $17,000 by year’s end.
Cyber thieves have taken notice and started using cryptominers to make money.
As noted above, JavaScript miners like those from Coinhive are added to websites and run in the browser, using visitors’ CPUs to generate cryptocurrency. Users may notice poor performance, a spike in CPU usage and batteries draining faster than usual.
Coinhive also works on mobile devices and over short periods the user may notice the device’s temperature increasing dramatically.
Coinhive rises with cryptocurrency values
As the value of such cryptocurrencies as Bitcoin (BTC) and Monero (XMR) skyrocketed in the last couple of weeks, SophosLabs has noticed a steady rise in sites using Coinhive scripts.
Here’s what the rise of Coinhive looks like compared to rising BTC and XMR values:
Coinhive markets itself as an alternative source of revenue to advertisements.
Infamous torrent site The Pirate Bay is among those to have used its code and neglected to tell visitors it was using their browsers to mine cryptocurrency. The site embedded Coinhive JavaScript code on search pages to mine for Monero.
It’s this sort of activity that is leading Sophos to take a tougher stance.
From PUAs to malware
As noted above, we previously detected cryptominers as PUAs (Potentially Unwanted Applications), which meant no automatic cleanup. Admins were instead presented with alerts for PUA detections and could manually choose from three possible options: Cleanup, Authorize or Acknowledge.
For Coinhive and equivalent web-based JavaScript miners, the situation is now different. Customers using Web Control will now see something like this off the bat:
What to do
Sophos customers can block cryptominers by using the Web Control features included in our Endpoint and Network Protection products.
Once enabled, blocking websites categorized as “Hacking” will stop users from visiting the offending sites.
Customers can read our Knowledge Base article to find out more about how to block JavaScript cryptominers.