Coinhive and Cryptojacking

There has been a recent sharp increase in cryptojacking.

Threat ID:: CC-1699
Category:
Threat Severity:: Low
Threat Vector:
Published:: 12 October 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

There has been a recent sharp increase in cryptojacking.

Threat details

Cryptojacking is a method of hijacking a machine or web browser to mine for cryptocurrency. This activity is performed without a user’s knowledge or permission. A successful attack does not require the user to install any software, as it works within the web browser directly.

Much of this traffic is known as ‘in-browser mining’ and is hosted on a web site. The mining script is executed when the user browses to the site. There has been an increase in attackers using ‘pop-ups’ and ‘pop-unders’ in order to maintain mining when the user has left the site.

cryptojacking isn’t limited to just web browsers, it is possible for cryptojacking malware to infect the host (Windows, Linux and macOS), in addition to iOS and Android phones.

Browser extensions have also been identified as using JavaScript to mine cryptocurrency (ArchivePoster and Iridium, for example).

A tale-tell sign of a cryptojacking infection is a significant reduction in host machine performance, as the CPU and graphics cards are used for cryptomining.

The following is a link to a PowerShell script that monitors CPU usage across a provided list of hosts. This script can be used to provide email alerts for hosts with high CPU usage, indicative of a cryptominer in use.

For further information:

Powershell script to monitor CPU utilization and notify on a threshold breach

Remediation advice

If you suspect that your machine/browser is being cryptojacked:

Remediation steps

Type	Step
	Check CPU utilisation The Cryptominer may not necessarily be running as your browser process (chrome.exe, for example Check for ‘pop-unders’ or ‘pop-overs’ and kill those If the machine continues at high CPU utilisation, ensure no other application is causing this; power cycle the machine. Should high utilisation persist after power cycling, segregate the host from the network and follow your normal Malware Infection process. Make sure your antivirus is up to date as most vendors have released patches to block Cryptomining Use an ad blocker, as this could stop the cryptojacking script from running Use a Chrome extension such as No Coin or minerBlock to block the services Update DNS or Hosts Files to null route the following last known list of mining URI’s. You can copy and paste the below into your Hosts file. Hosts To Block: cnhv[.]co coin-hive[.]com coinhive[.]com gus[.]host load[.]jsecoin[.]com miner[.]pr0gramm[.]com minemytraffic[.]com ppoi[.]org projectpoi[.]com crypto-loot[.]com coinerra[.]com coin-have[.]com minero[.]pw minero-proxy-01[.]now[.]sh minero-proxy-02[.]now[.]sh minero-proxy-03[.]now[.]sh api[.]inwemo[.]com rocks[.]io adminer[.]com ad-miner[.]com jsccnn[.]com jscdndel[.]com coinhiveproxy[.]com coinblind[.]com coinnebula[.]com monerominer[.]rocks cdn[.]cloudcoins[.]co coinlab[.]biz go[.]megabanners[.]cf baiduccdn1[.]com wsp[.]marketgid[.]com papoto[.]com flare-analytics[.]com www[.]sparechange[.]io static[.]sparechange[.]io miner[.]nablabee[.]com m[.]anyfiles[.]ovh www[.]freecontent[.]bid www[.]cryptonoter[.]com www[.]mutuza[.]win cryweb[.]github[.]io crywebber[.]github[.]io crypto-webminer[.]com cdn[.]adless[.]io hegrinhar[.]com verresof[.]com hemnes[.]win tidafors[.]xyz moneone[.]ga plexcoin[.]info www[.]monkeyminer[.]net go2[.]mercy[.]ga coinpirate[.]cf d[.]cpufan[.]club krb[.]devphp[.]org[.]ua nfwebminer[.]com node[.]cfcdist[.]gdn webxmr[.]com xmr[.]mining[.]best webminepool[.]com webminepool[.]tk hive[.]tubetitties[.]com playerassets[.]info tokyodrift[.]ga webassembly[.]stream okeyletsgo[.]ml candid[.]zone webmine[.]pro andlache[.]com bablace[.]com bewaslac[.]com biberukalap[.]com bowithow[.]com butcalve[.]com evengparme[.]com gridiogrid[.]com hatcalter[.]com kedtise[.]com ledinund[.]com nathetsof[.]com renhertfo[.]com rintindown[.]com sparnove[.]com witthethim[.]com 1q2w3[.]fun 1q2w3[.]me cryptoloot[.]pro bjorksta[.]men crypto[.]csgocpu[.]com noblock[.]pro miner[.]cryptobara[.]com digger[.]cryptobara[.]com dev[.]cryptobara[.]com reservedoffers[.]club mine[.]torrent[.]pw host[.]d-ns[.]ga abc[.]pema[.]cl mine[.]nahnoji[.]cz webmine[.]cz intactoffers[.]club analytics[.]blue smectapop12[.]pl berserkpl[.]net[.]pl hodlers[.]party hodling[.]faith chainblock[.]science minescripts[.]info cdn[.]minescripts[.]info miner[.]nablabee[.]com wss[.]nablabee[.]com clickwith[.]bid dronml[.]ml niematego[.]tk tulip18[.]com p[.]estream[.]to azvjudwr[.]info jroqvbvw[.]info jyhfuqoh[.]info kdowqlpt[.]info xbasfbno[.]info 1beb2a44[.]space 300ca0d0[.]space 310ca263[.]space 320ca3f6[.]space 330ca589[.]space 340ca71c[.]space 360caa42[.]space 370cabd5[.]space 3c0cb3b4[.]space 3d0cb547[.]space *[.]hit[.]gemius[.]pl Hosts File: cryptominer_hostsfile.txt AdBlock Profile: Crypto_adBlock.txt

Type

Step

Check CPU utilisation
- The Cryptominer may not necessarily be running as your browser process (chrome.exe, for example
Check for ‘pop-unders’ or ‘pop-overs’ and kill those
- If the machine continues at high CPU utilisation, ensure no other application is causing this; power cycle the machine. Should high utilisation persist after power cycling, segregate the host from the network and follow your normal Malware Infection process.
Make sure your antivirus is up to date as most vendors have released patches to block Cryptomining
Use an ad blocker, as this could stop the cryptojacking script from running
Use a Chrome extension such as No Coin or minerBlock to block the services
Update DNS or Hosts Files to null route the following last known list of mining URI’s. You can copy and paste the below into your Hosts file.

Hosts To Block:

cnhv[.]co
coin-hive[.]com
coinhive[.]com
gus[.]host
load[.]jsecoin[.]com
miner[.]pr0gramm[.]com
minemytraffic[.]com
ppoi[.]org
projectpoi[.]com
crypto-loot[.]com
coinerra[.]com
coin-have[.]com
minero[.]pw
minero-proxy-01[.]now[.]sh
minero-proxy-02[.]now[.]sh
minero-proxy-03[.]now[.]sh
api[.]inwemo[.]com
rocks[.]io
adminer[.]com
ad-miner[.]com
jsccnn[.]com
jscdndel[.]com
coinhiveproxy[.]com
coinblind[.]com
coinnebula[.]com
monerominer[.]rocks
cdn[.]cloudcoins[.]co
coinlab[.]biz
go[.]megabanners[.]cf
baiduccdn1[.]com
wsp[.]marketgid[.]com
papoto[.]com
flare-analytics[.]com
www[.]sparechange[.]io
static[.]sparechange[.]io
miner[.]nablabee[.]com
m[.]anyfiles[.]ovh
www[.]freecontent[.]bid
www[.]cryptonoter[.]com
www[.]mutuza[.]win
cryweb[.]github[.]io
crywebber[.]github[.]io
crypto-webminer[.]com
cdn[.]adless[.]io
hegrinhar[.]com
verresof[.]com
hemnes[.]win
tidafors[.]xyz
moneone[.]ga
plexcoin[.]info
www[.]monkeyminer[.]net
go2[.]mercy[.]ga
coinpirate[.]cf
d[.]cpufan[.]club
krb[.]devphp[.]org[.]ua
nfwebminer[.]com
node[.]cfcdist[.]gdn
webxmr[.]com
xmr[.]mining[.]best
webminepool[.]com
webminepool[.]tk
hive[.]tubetitties[.]com
playerassets[.]info
tokyodrift[.]ga
webassembly[.]stream
okeyletsgo[.]ml
candid[.]zone
webmine[.]pro
andlache[.]com
bablace[.]com
bewaslac[.]com
biberukalap[.]com
bowithow[.]com
butcalve[.]com
evengparme[.]com
gridiogrid[.]com
hatcalter[.]com
kedtise[.]com
ledinund[.]com
nathetsof[.]com
renhertfo[.]com
rintindown[.]com
sparnove[.]com
witthethim[.]com
1q2w3[.]fun
1q2w3[.]me
cryptoloot[.]pro
bjorksta[.]men
crypto[.]csgocpu[.]com
noblock[.]pro
miner[.]cryptobara[.]com
digger[.]cryptobara[.]com
dev[.]cryptobara[.]com
reservedoffers[.]club
mine[.]torrent[.]pw
host[.]d-ns[.]ga
abc[.]pema[.]cl
mine[.]nahnoji[.]cz
webmine[.]cz
intactoffers[.]club
analytics[.]blue
smectapop12[.]pl
berserkpl[.]net[.]pl
hodlers[.]party
hodling[.]faith
chainblock[.]science
minescripts[.]info
cdn[.]minescripts[.]info
miner[.]nablabee[.]com
wss[.]nablabee[.]com
clickwith[.]bid
dronml[.]ml
niematego[.]tk
tulip18[.]com
p[.]estream[.]to
azvjudwr[.]info
jroqvbvw[.]info
jyhfuqoh[.]info
kdowqlpt[.]info
xbasfbno[.]info
1beb2a44[.]space
300ca0d0[.]space
310ca263[.]space
320ca3f6[.]space
330ca589[.]space
340ca71c[.]space
360caa42[.]space
370cabd5[.]space
3c0cb3b4[.]space
3d0cb547[.]space
*[.]hit[.]gemius[.]pl

Hosts File:

cryptominer_hostsfile.txt

AdBlock Profile:

Crypto_adBlock.txt

Last edited: 17 February 2020 11:29 am