Cryptocurrency & Blockchain Business

Cryptocurrency Mining Malware Found in Nearly 50K Websites

Share on facebook
Share on twitter
Share on linkedin
Share on telegram
Share on whatsapp
Share on pocket
Share on vk
Share on reddit
  • Nearly 50,000 websites were found to host some type of cryptocurrency mining malware. — Bad Packets report, 2018
  • 5,541 WordPress websites were infected with malware as part of cryptojacking campaigns. — Bad Packets report, 2018

In an investigation by Troy Mursch, the author of the Bad Packets Report, nearly 50,000 websites were found to host some type of cryptocurrency mining malware.

Cryptocurrency mining is becoming an increasingly lucrative industry as speculation of digital currencies such as Bitcoin, Ethereum, and Monero have driven up valuation. In the case of Monero, which is more easily capable of being mined on CPUs rather than GPUs, website owners have taken to embedding JavaScript-based mining scripts in order to generate revenue in place of, or in addition to, traditional advertisements.

While some websites provide an opt-out mechanism for mining, many websites do not. As cryptocurrency miners are frequently configured to max out the CPU capacity of a given device—to the extent that devices have been physically damaged—performing cryptocurrency mining via scripts embedded on web pages is inherently parasitical regardless of the intent of the website owner.

That said, the ease of embedding JavaScript miners in websites has attracted criminals, who have begun exploiting cross-site scripting and other vulnerabilities to inject mining scripts into websites to illicitly generate funds. These types of attacks have been on the rise as 4,000 government websites in the US, UK, and Australia were infected through a vulnerability in a third-party assistive technology for people with visual impairments. Similarly, a website operated by the L.A. Times was infected with a Monero mining script powered by Coinhive.

Mursch’s investigation found that, of the 48,953 websites that were found to have coin mining scripts, 39,925 (81.6%) used Coinhive. Mursch noted that 5,541 of these were WordPress websites that had obfuscated references to the Coinhive script. These websites share a total of six unique Coinhive site keys, suggesting that their inclusion on these websites is not an active decision by the website owners, rather, they were embedded by some illegitimate means—likely through a vulnerability in WordPress itself, or surreptitiously included in a plug-in.

Alternatives to Coinhive have also gained some popularity, though are presently a relatively small fraction of the browser-based mining industry. Of particular note is Minr, which automatically provides optional code obfuscation in an effort to resist detection by people inspecting the website source. Mursch also noted that the linked domains for Minr scripts change frequently.

Also of interest is the self-hosted deepMiner script, found on 2160 websites, the report said. As a self-hosted script, searching for websites that link back to a specific domain would not detect deepMiner, rather, the function it uses to run was searched on Public WWW instead.

As surreptitious coin mining operations, also known as cryptojackingare becoming increasingly popular among criminals, proactive protections to safeguard against these attacks are necessary. Mursch recommends the minerBlock extension for Chrome and Firefox. Cryptojacking is blocked by default in Opera, and MalwareBytes, a popular anti-malware program, blocked Coinhive shortly after the website launched in September 2017.

Web-based mining attacks are only one component of criminals mining the Monero cryptocurrency in malware attacks. Attacks targeting Android devicesMicrosoft Word documents, and Telegram were discovered last month, and criminals have also recycled the EternalBluevulnerability developed by the NSA to create the mining botnet “Smominru.”

By James Sanders @

3 Responses

  1. Avatar Reply

    It’s in point of fact a great and helpful piece of info.

    I am happy that you simply shared this helpful information with us.
    Please stay us up to date like this. Thank you for sharing.

  2. Avatar
    crypto currency casino Reply

    great issues altogether, you simply received a emblem new reader.
    What might you recommend about your post that
    you made some days in the past? Any sure?

  3. Avatar
    planet 7 casino mobile Reply

    Pretty! This has been a really wonderful post. Many
    thanks for providing this info.

Leave a Reply




News by Month
Scroll to top