by Rubén Jiménez, Chief Architect at RANDED.

A brief introduction to Cryptojacking

Cryptocurrencies are revolutionizing the world and offer new market opportunities that were previously unthinkable.

Cryptocurrency mining, or cryptomining, is a process associated with Blockchain-based systems [1] and is necessary for the correct validation of the transactions made. Each validation requires a high computational cost and, to compensate calculation efforts, the participating entities are rewarded with new cryptocurrencies, thus creating an appropriate balance in the digital monetary ecosystem in which they operate.

When the mining process is done using the resources of the user´s device, without their consent or knowledge, we are talking about what is known as “Cryptojacking” [2].

To perform this type of fraudulent mining, special software must be installed on the user´s device, either mobile or desktop. Until not long ago, these frameworks used to leverage on traditional malware (Ransomware, Adware, etc.) to reach as many users as possible and to deploy massive mining campaigns.

The game has completely changed with the appearance of companies and groups that have created simple cryptocurrency mining scripts, capable of running transparently, in any browser, also known as: “Browser-based Cryptojacking” or “In-Browser mining of cryptocurrencies” [3].

The most common programming language used to create mining code is JavaScript. This is understandable since JS is supported by all modern browsers and can be fully integrated with any web-based application.

One of the key factors for the success of browser-based mining is the distribution of the scripts throughout the user´s browsing session. There are many possible scenarios depending on whether the distribution is direct or indirect, whether there is complicity through the owners of the websites or not, but in general, the most widely used method is distribution through advertising. It is worth noting that, although browser extensions have also been used as another mean of distribution, browser manufacturers are raising their acceptance and analysis criteria [4].

One of the weaknesses of these mining scripts is related to their persistence on users’ devices, their lifetime depends completely on browser running time, closing the browser, will stop the execution of the script, so that the advantage obtained when executing in the browser, becomes a disadvantage in terms of time of persistence. Despite this obvious weakness, and as with traditional malware, new techniques that prolong persistence time without user knowledge are already emerging [5].

Market response

In general, the new threats that come with cryptojacking have caught both, the market and security companies, slightly off guard, leaving them with no other option but to react slowly. The decision to use procedures corresponding to different threats, together with the difficulty of integrating them with environments for which they were not designed, slows the response to customers. This situation facilitates the proliferation of new variants of mining scripts [3] and longer distribution campaigns.

Some browsers [6] have added protection features against cryptocurrency mining to their new versions. While this is good news for users, the main problem is that the battle is still being played on their own devices, for which the risks of being cryptojacked is high.

The appearance of browser virtualization platforms is a step forward, as they separate user´s device from the browsed websites. As a result of this, sessions can be temporary and the continuity of the service in case of a threat is guaranteed. The requirements of third-party virtualization technologies, along with the use of proprietary application remote protocols and the limited control over browsing sessions, make this approach an attractive but ineffective option against cryptojacking attacks.

Companies with web-based business processes have the responsibility to protect their customers against any malicious code they may distribute. Additionally, companies also have the responsibility to keep protected the devices from which their workers navigate, without affecting their performance or usability. All this makes it necessary to come up with an alternative that allow companies to stay one step ahead of any future evolution of cryptojacking.

Isolation as a natural defense

Web isolation technologies act as an implicit protection system against browser-based mining cryptocurrency.

Since all web content is executed on a remote platform, which is responsible for detection and blocking logic, neither users will be exposed to web threats nor will mitigation processes affect their experience.

Having said that, it is important to note that not all web isolation technologies are equally effective.

Partial browser isolation solutions, with or without browsing context management, may be affected by variations in the stealth and persistence techniques of mining scripts. This increases the difficulty of the analysis process and directly affects the user experience. Last but not least, the risk of letting pass on malicious code is high and the consequences can be disastrous.

On the other hand, full isolation technologies, with built-in browsing context management, are the best defense solution against browser-based mining scripts.

Implicit Protection – IC TEch

At Randed, we truly believe from the beginning that full isolation is the only option that really guarantees security against future threats. This belief led us to create ICTech [7], an isolation technology that incorporates all the necessary mechanisms to detect and block mining scripts.

IC Tech is the result of several years of research & development in which two powerful software components have been efficiently implemented and integrated: a browsing management system and a content transmission system. All this makes ICTech the first technology of its nature available in the market.

Detection is the first step to defeat any kind of mining script, the sooner it is detected, the easier will be to block it.

Among all the detection mechanisms that ICTech incorporates, we would like to highlight:

Resource analysis

It is one of the most widely used and easy-to-implement techniques. Any web-based resource (html/js/css) can be blocked if it matches against a blacklist. Most mining scripts are included as JavaScript libraries, so filtering is applied to the name of the resource and the domain to which it is requested.

Content analysis

It is one of the most common techniques when it comes to traditional malware analysis. The content (code) of resources is analyzed to detect specific mining behaviors: functions used, names of variables, etc. Additionally, it allows the detection of in-line scripts (embedded inside HTML).

Monitoring ``DOM Events``

Consists of listening to DOM events [8] generated by the render engine in a browsing context. Some of these events are used by mining scripts to act according to users’ actions, activating or suspending the mining process.

CPU/Memory monitoring

In other words, it controls the amount of memory and CPU that is used by each browsing tab. When the usage is high, other mechanisms are activated to analyze the activity. It can also alert about other attacks like browser-side DoS or remote exploitation attempts.

PopUp creation/launch analysis

It analyzes the attributes and parameters used when requesting a new browsing window. Some mining scripts try to maintain persistence by using these tricks in the PopUps opening [9].

Graphic API analysis

Modern browsers supports WebGL and, therefore, complex mathematical calculations can be done at GPU level. This is a resource that mining scripts [10] can take advantage of to accelerate operations without affecting CPU consumption.

When it is detected that a browsing session has been affected by a mining script, there are two possible options:

Option 1:

To degrade the functionality of the script, as much as possible, using special techniques to do so, but keeping the browsing session operational:

Adaptive CPU

It reduces the CPU usage per browsing session and, thus hinder mining operations.

Graphic API blocking

It denies the use of WebGL, if the browsed page does not require the use of these resources, it does not make sense to have them activated.

AJAX / WebSockets connections filtering

It filters access to connectivity APIs and denies connections to the mined data collection panels.

Option 2:

To close/end a browsing session entirely or the navigation tab that has been affected.

The whole process must include an alert and notification system informing the administrator of the isolation platform that some browsed websites have distributed cryptojacking software.

Conclusion

While traditional malware struggles to conquer the operating systems of users´ devices to take advantage of their resources, cryptocurrency mining scripts can freely access them through the browsing engine execution contexts.  Its success lies in the simplicity of its operations, mathematical calculations and small transactions that are hidden in the immensity and complexity of current web-based applications.

As we cannot prevent mining scripts from evolving in terms of distribution forms, persistence, execution or communication, security cannot be completely based on traditional protection techniques. It is time for the market to provide modern solutions, capable of defeating threats from the very beginning, and this is something that will only be possible with a true paradigm shift.

References

[1] “Blockchain”

https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/blockchain

[2] “Cryptojacking – Cryptomining in the browser”

https://www.enisa.europa.eu/publications/info-notes/cryptojacking-cryptomining-in-the-browser

[3] “A first look at browser-based Cryptojacking”

https://arxiv.org/abs/1803.02887

[4] “rotecting users from extension cryptojacking”

https://blog.chromium.org/2018/04/protecting-users-from-extension-cryptojacking.html

[5] “Cryptocurrency Miners hidden in websites now run even after users close the browser”

http://securityaffairs.co/wordpress/66204/hacking/cryptocurrency-miners-browser.html

[6] “Opera introduces bitcoin mining protection in all mobile browsers – here’s how we did it”

https://blogs.opera.com/mobile/2018/01/opera-introduces-bitcoin-mining-protection-mobile-browsers/

[7] “Isolation Cloud Technology”

https://randed.com/isolation-cloud-technology/

[8] “Web Events Reference”

https://developer.mozilla.org/en-US/docs/Web/Events

[9] “Pop-up Ads”

https://en.wikipedia.org/wiki/Pop-up_ad#Pop-under_ad_technology

[10] “A Bitcoin miner that supports pure Javscript, WebWorker and WebGL mining”

https://github.com/derjanb/hamiyoca

Ruben Jiménez

Chief Architect at Randed