Is Cryptojacking Dead After Coinhive Shutdown?

Varlioglu, Said; Gonen, Bilal; Ozer, Murat; Bastug, Mehmet F.

doi:10.1109/icict50521.2020.00068

Cited by 28 publications

(22 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Carlin et al analyzed the growth of cryptojacking in their study [1]. Varlioglu et al [14] inspected the websites that were previously found to have cryptojacking scripts by CMTracker [16].…”

Section: Related Workmentioning

confidence: 99%

“…Thus, cryptojacking was born, a new cryptocurrency mining malware running covertly on end-user browsers that relies on the latest web technologies and easily reaches its victims via websites without requiring any software installation. The misuse of Coinhive scripts by malicious entities without the consent of end-users facilitated the shut down of Coinhive in March 2019 [14]. Although Coinhive is no longer maintained or operational, numerous studies [15], [14] indicate that cryptojacking malware is still in use in the wild.…”

Section: Introductionmentioning

confidence: 99%

“…The misuse of Coinhive scripts by malicious entities without the consent of end-users facilitated the shut down of Coinhive in March 2019 [14]. Although Coinhive is no longer maintained or operational, numerous studies [15], [14] indicate that cryptojacking malware is still in use in the wild. The findings of our study add further support to this statement.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MINOS: A Lightweight Real-Time Cryptojacking Detection System

Naseem¹,

Arış²,

Babun³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Emerging WebAssembly(Wasm)-based cryptojacking malware covertly uses the computational resources of users without their consent or knowledge. Indeed, most victims of this malware are unaware of such unauthorized use of their computing power due to techniques employed by cryptojacking malware authors such as CPU throttling and obfuscation. A number of dynamic analysis-based detection mechanisms exist that aim to circumvent such techniques. However, since these mechanisms use dynamic features, the collection of such features, as well as the actual detection of the malware, require that the cryptojacking malware run for a certain amount of time, effectively mining for that period, and therefore causing significant overhead. To solve these limitations, in this paper, we propose MINOS, a novel, extremely lightweight cryptojacking detection system that uses deep learning techniques to accurately detect the presence of unwarranted Wasm-based mining activity in real-time. MINOS uses an image-based classification technique to distinguish between benign webpages and those using Wasm to implement unauthorized mining. Specifically, the classifier implements a convolutional neural network (CNN) model trained with a comprehensive dataset of current malicious and benign Wasm binaries. MINOS achieves exceptional accuracy with a low TNR and FPR. Moreover, our extensive performance analysis of MINOS shows that the proposed detection technique can detect mining activity instantaneously from the most current in-the-wild cryptojacking malware with an accuracy of 98.97%, in an average of 25.9 milliseconds while using a maximum of 4% of the CPU and 6.5% of RAM, proving that MINOS is highly effective while lightweight, fast, and computationally inexpensive. * Minos is the beast in Dante's Divine Comedy that acts as a judge in underworld and decides which layer of the hell the sinner goes to.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

MINOS: A Lightweight Real-Time Cryptojacking Detection System

Naseem¹,

Arış²,

Babun³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Cryptojacking Dataset Sample Type Focus of the Study [138] 2000 executable binary the practice of using compromised PCs to mine Bitcoin [139] 33282 websites script prevalence analysis [140] --how cybercriminals are exploiting cryptomining [65] 5190 websites script campaign and domain analysis [141] XMR-stak, cpuminer-multi binary attack impact on consumer devices and user annoyance [142] 5700 websites script static, dynamics and economic analysis [143] CoinHive cryptominer script sample characteristics and network traffic analysis [104] 1.2 million miners binary currencies, actors , campaign and earning analysis, underground markets [144] 107511 websites script profitability and the imposed overheads [15] 3.2 TB historical scan results script investigation of a new type of attack that exploits Internet infrastructure for cryptomining [145] --business model, threat sources, implications, mitigations, legality and ethics [146] 53 websites script sample characteristics [147] 2770 websites script activeness analysis [148] XMRig miner binary sample characteristics [135] 156 domains, 25892 proxies script impact on the web users also some new methods [150] proposed by researchers for better and more optimized blacklisting, but even dynamic blacklisting methods are not fully effective nor protective [151] against domain fluxing methods.…”

Section: Refmentioning

confidence: 99%

SoK: Cryptojacking Malware

Tekiner

Acar

Uluagac

et al. 2021

2021 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryptocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting programs (e.g., Zoom during the Covid-19 pandemic) have all been the victims of powerful cryptojacking malware campaigns. Nonetheless, existing detection methods such as browser extensions that protect users with blacklist methods or antivirus programs with different analysis methods can only provide a partial panacea to this emerging cryptojacking issue as the attackers can easily bypass them by using obfuscation techniques or changing their domains or scripts frequently. Therefore, many studies in the literature proposed cryptojacking malware detection methods using various dynamic/behavioral features. However, the literature lacks a systemic study with a deep understanding of the emerging cryptojacking malware and a comprehensive review of studies in the literature. To fill this gap in the literature, in this SoK paper, we present a systematic overview of cryptojacking malware based on the information obtained from the combination of academic research papers, two large cryptojacking datasets of samples, and 45 major attack instances. Finally, we also present lessons learned and new research directions to help the research community in this emerging area.

show abstract

“…Hackers usually conduct cryptojacking by getting the victim to click on a malicious link in an email that downloads crypto-mining code onto their computer, infecting a website with JavaScript code that automatically runs itself once downloaded into a victim's browser, or compromising the servers to stealthily run the mining programs in the background. Although Coinhive, an in-browser mining service provider, shutdown on March 2019, cryptojacking is still alive and evolving [8]. Recently, The Next Web reported that unsuspecting victims were cryptojacked 52.7 million times in the first half of 2019 [5].…”

mentioning

confidence: 99%

POSTER: Content-Agnostic Identification of Cryptojacking in Network Traffic

Feng

Sisodia

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

In this paper, we propose a method that detects cryptojacking activities by analyzing content-agnostic network traffic flows. Our method first distinguishes crypto-mining activities by profiling the traffic with fast Fourier transform at each time window. It then generates the variation vectors between adjacent time windows and leverages a recurrent neural network to identify the cryptojacking patterns. Compared with the existing approaches, this method is privacy-preserving and can identify both browser-based and malware-based cryptojacking activities. Additionally, this method is easy to deploy. It can monitor all the devices within a network by accessing packet headers from the gateway router. CCS CONCEPTS • Networks → Network monitoring; • Security and privacy → Intrusion/anomaly detection and malware mitigation.

show abstract

Is Cryptojacking Dead After Coinhive Shutdown?

Cited by 28 publications

References 7 publications

MINOS: A Lightweight Real-Time Cryptojacking Detection System

MINOS: A Lightweight Real-Time Cryptojacking Detection System

SoK: Cryptojacking Malware

POSTER: Content-Agnostic Identification of Cryptojacking in Network Traffic

Contact Info

Product

Resources

About