The rise of cryptocurrency miners as malware

In Brief:
We have now had several inquiries from people running WordPress websites who’s customers have been reporting that the website has been running very slowly.

After investigating we concluded that their website had been subjected to a malware attack and a cryptocurrency miner had been installed throughout the site.

The miner started to run in a users browser tab whenever an infected web page was loaded.

The more infected tabs that were open, the more resources the miner used from the users computer, ultimately slowing everything down.

What is a cryptocurrency?

You have probably heard of Bitcoin.  It’s the digital currency that’s traded online without the need for banks to get involved.  Bitcoin was the first cryptocurrency to be widely adopted but there are others such as MoneroEthereum and Litecoin to name just a few.

Transactions are completed directly between user’s computers (peer-to-peer) cutting out third-party brokers such as banks.  Individual “coins” or units of each currency are derived from something called a “blockchain” or an on-line digital ledger through a process called mining.

What is a miner?

Cryptocurrency mining is a very computer process intensive record keeping service for the blockchain.

Miners keep the blockchain consistent, complete, and unalterable by repeatedly verifying and collecting newly broadcast transactions into a new group of transactions called a block.

As a reward, the user who’s computer resources are performing the mining receives a very very small percentage of a currency unit that the blockchain is keeping a record of.

If you’re new to all this then there’s a lot of terminology to take in and it can all be a bit overwhelming at first!

Making money

If you are one individual mining for currency using your own desktop PC then you’re not going to get rich over night.

The blockchain and mining technologies are built so as to make it more difficult to mine for currency, the more currency is mined.

Any currency rewarded to the person owning the mining process is paid into a secure digital wallet.

It should be noted that blockchain transactions are transparent but anonymity behind who owns those transactions and hence who owns the currency is not so it is virtually impossible to know who owns the wallet.

To make a profit mining you need to control a lot of computers (think tens of thousands) and that leads us neatly to the next point.

Why attack WordPress sites?

WordPress controls over 28.9% of the internet who’s content management system are known.

Considering that a large percentage of those sites are using out-of-date WordPress core versions which have known exploits, makes it’s a huge target for any would-be attackers.

Over the years we’ve seen WordPress sites being attacked for inserting spam links, sending out malicious emails and more recently by installing ransomware and extorting the website user into purchasing a decryption key to unlock the encrypted website files.

This new cryptocurrency mining malware attack is just another tool in the hackers war chest.

How do attackers make their money from cryptocurrency mining malware?

As mentioned above, you need thousands of computer running mining software against a blockchain before you’re going to see any usable reward for the effort.

By exploiting thousands of websites running old versions of WordPress, attackers install Javascript mining software as malware on the sites they infect.

The miner runs when a user opens an affected websites page in a tab on their browser and the combined effort sends the rewards back to the owner of the embedded malware miner.

Attackers seem to be preferring the method of mining.  Coinhive allows mining of a cryptocurrency called Monero.

It differs from other cryptocurrencies such as Bitcoin as by not giving any advantages to specialized computers running large GPUs which process more data.

Instead it runs a simple Javascript mining process which can be embedded on a web page.

Here’s an example of the Coinhive Javascript miner code:

[pastacode lang=”javascript” manual=”%0A%3Cscript%3Evar%20miner%20%3D%20null;%3C%2Fscript%3E” message=”” highlight=”” provider=”manual”/]

The miner is run when a user visits a web page that has the Javascript miner embedded in it and the owner of the miner gets the small reward.

Now imagine that you have a big website with 10,000’s of people visiting it each day.  That’s going to increase your % of reward at your visitors expense.

Because the miners are working in a users browser there is no affect on the web server that is serving out the embedded mining code.  Javascript runs in the browser so it is the website visitors own desktop or laptop computer that is being used to mine the data.

All the mining malware we found had no rate limits enabled which meant they were using as much memory and CPU power as they could.  This gave the perception to the visitor that the client’s website was slow, whereas in fact it was the web browser’s Javascript malware miner that was draining local computer resources girding it to a halt.

It should be clear to imagine that if attackers can infect thousands of vulnerable sites running older version of WordPress that the numbers can add up to a reasonable profit for them without much effort on their part.

The research team at Checkpoint looked at profit potential for an attacker embedding such Monero mining malware.  Their conclusion was that if an attacker were to infect sites such as to average 1,000 concurrent users across all of them,  it would generate $2,398 in monthly revenue.

That’s a lucrative profit so it’s not unreasonable to hypothesize that we’re going to see more of these types of attacks against WordPress sites in the future.

How to check if your site is affected and clear up?

There are two services that we would recommend using.

If you think your site has been infected with cryptocurrency mining malware just now then do a Sucuri scan right away.

For longer-term continual protection against not only cryptocurrency miners but heaps of other vulnerabilities, install the Wordfence firewall plugin.  As of November 24th, 2017 their free version will scan for cryptocurrency miners or you can install and upgrade to premium to protect them getting access to your site today.

How to clear the infection?

If you subscribe to Sucuri they will clean up your infected site.

With Wordfence (free edition), it will detect the miner scripts and suggest fixes but ultimately you will have to clean up the mess yourself from backups prior to being infected.

If your site is infected and you don’t know what to do next we offer a full WordPress Security audit and cleaning service to put your mind at ease.

Other tools:

It can be hard to detect if a website you are visiting has a mining script on it other than waiting until your browser and computer grinds to a halt for no known reason.

I recommend that you install a mining blocker add-on for your favorite browser:

Don’t get hacked in the first instance!

Keeping your WordPress website updated and secure is the best defense against this type of threat.  Having to clean up an infected site is costly, time consuming and damaging for your on-line brand.

Educate yourself on WordPress security by reading more of our security blog posts.

 

Was this article helpful?
YesNo

3 Responses

  1. Hello there, I discovered your site by way of Google whilst searching for a similar subject, your website got here up, it appears to be like
    good. I’ve bookmarked it in my google bookmarks.
    Hi there, just was alert to your weblog through Google, and located that it is truly informative.
    I am gonna be careful for brussels. I will appreciate if you continue this
    in future. Many folks might be benefited out of your writing.
    Cheers!

    1. This is one of the WORST grammatical spam comments I’ve seen in a long time. LMAO!! Thanks for brightening my day!