Vulnerable JavaScript Illegally Mining User Machines

Vulnerable JavaScript Illegally Mining User Machines

So a few days ago, I was browsing Cnet.com to view some on-line tools. I noticed an odd alert triggered by my Anti-Virus scanner. My scanner detected it as HKTL_COINMINE with my URL Filtering option enabled on my scanner. I decided to investigate it further to see what this was all about. What I slowly started to uncover was that something was using my machine to mine. This at first didn’t make sense, as no new applications or files were downloaded.

Then, I noticed an increase in CPU, and I have a normal baseline where my CPU levels normally reside at for the most part. After looking into some network connections I realized there was a connection made out to a server in Ukraine. And, that isn’t typical behavior of my network to be connecting to a machine in Ukraine. The realization after some further investigation that it was the CNET JavaScript file that had been compromised externally on another server . And, this led me to my next blog post!

How Do They Exploit JavaScript?

On one end, I think you have to give hats off to the organization for making use of JavaScript to mine. Majority of the users out there have JavaScript enabled on their browser, so the chance of users landing on your site and loading that JS file is fairly high. This seems to be a new trend I’ve noticed popping up around the world wide web. It’s a brilliant idea! Get the world wide web to mine for you while you earn all of the profits using up someone else’s CPU cycles. As long as you can generate tons of decent traffic you’ll have all your viewers do your mining for you.

Screen shot below displaying the embedded vulnerable JavaScript code

Indicators of Compromise

There seems to be a few different versions and variants of vulnerable Javascript files out there with this issue. I have found and listed the ones I have personally encountered as of today. The best way to make use of various IoC is to filter by host names/URL’s and the associated IP addresses. This JavaScript issue seems to points to a few servers off in Europe as of now.

Cryptonight

Category: Malicious Web Sites
URL: xelkrhl.info/cryptonight.wasm
IP address: 91.229.23.149
Port: 443

Coin-Hive

Has a server in the Ukraine. This seems like it’s central location where many connections seem to point towards.

coin-hive.com 94.130.128.243
Submitted URL: coin-hive.com/lib/cryptonight.wasm

How Do I Protect Myself?

There are a few security measures that will help protect users.

Anti-Virus software should have available signatures and URL filtering to detect for this issue.

A Firewall would also help and allow for the option to block based off the IoC’s. Next-Gen firewalls will increase the chances of locking connections to these suspicious servers.

The far more aggressive approach would be to totally disable JavaScript from being used within your browser. The downside for this option is that many websites will cease to function, as a majority of them are built with some form of JavaScript usage in mind.

If you know more about this issue going on or have encountered it yourself feel free to leave your experience about it.

As always to all the viewers and readers out there. Feel free to post and share your thoughts on this issue in the comments below.

This site uses Akismet to reduce spam. Learn how your comment data is processed.