Skip to main content

Coinhive and Cryptojacking

There has been a recent sharp increase in cryptojacking.
Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

There has been a recent sharp increase in cryptojacking.

Threat details

Cryptojacking is a method of hijacking a machine or web browser to mine for cryptocurrency. This activity is performed without a user’s knowledge or permission. A successful attack does not require the user to install any software, as it works within the web browser directly.

Much of this traffic is known as ‘in-browser mining’ and is hosted on a web site. The mining script is executed when the user browses to the site. There has been an increase in attackers using ‘pop-ups’ and ‘pop-unders’ in order to maintain mining when the user has left the site.

cryptojacking isn’t limited to just web browsers, it is possible for cryptojacking malware to infect the host (Windows, Linux and macOS), in addition to iOS and Android phones.

Browser extensions have also been identified as using JavaScript to mine cryptocurrency (ArchivePoster and Iridium, for example).

A tale-tell sign of a cryptojacking infection is a significant reduction in host machine performance, as the CPU and graphics cards are used for cryptomining.

The following is a link to a PowerShell script that monitors CPU usage across a provided list of hosts. This script can be used to provide email alerts for hosts with high CPU usage, indicative of a cryptominer in use.

For further information:


Remediation advice

If you suspect that your machine/browser is being cryptojacked:

Remediation steps

Type Step
  • Check CPU utilisation
    • The Cryptominer may not necessarily be running as your browser process (chrome.exe, for example
  •  Check for ‘pop-unders’ or ‘pop-overs’ and kill those
    • If the machine continues at high CPU utilisation, ensure no other application is causing this; power cycle the machine. Should high utilisation persist after power cycling, segregate the host from the network and follow your normal Malware Infection process.
  • Make sure your antivirus is up to date as most vendors have released patches to block Cryptomining
  • Use an ad blocker, as this could stop the cryptojacking script from running
  • Use a Chrome extension such as No Coin or minerBlock to block the services
  • Update DNS or Hosts Files to null route the following last known list of mining URI’s. You can copy and paste the below into your Hosts file.

Hosts To Block:

cnhv[.]co
coin-hive[.]com
coinhive[.]com
gus[.]host
load[.]jsecoin[.]com
miner[.]pr0gramm[.]com
minemytraffic[.]com
ppoi[.]org
projectpoi[.]com
crypto-loot[.]com
coinerra[.]com
coin-have[.]com
minero[.]pw
minero-proxy-01[.]now[.]sh
minero-proxy-02[.]now[.]sh
minero-proxy-03[.]now[.]sh
api[.]inwemo[.]com
rocks[.]io
adminer[.]com
ad-miner[.]com
jsccnn[.]com
jscdndel[.]com
coinhiveproxy[.]com
coinblind[.]com
coinnebula[.]com
monerominer[.]rocks
cdn[.]cloudcoins[.]co
coinlab[.]biz
go[.]megabanners[.]cf
baiduccdn1[.]com
wsp[.]marketgid[.]com
papoto[.]com
flare-analytics[.]com
www[.]sparechange[.]io
static[.]sparechange[.]io
miner[.]nablabee[.]com
m[.]anyfiles[.]ovh
www[.]freecontent[.]bid
www[.]cryptonoter[.]com
www[.]mutuza[.]win
cryweb[.]github[.]io
crywebber[.]github[.]io
crypto-webminer[.]com
cdn[.]adless[.]io
hegrinhar[.]com
verresof[.]com
hemnes[.]win
tidafors[.]xyz
moneone[.]ga
plexcoin[.]info
www[.]monkeyminer[.]net
go2[.]mercy[.]ga
coinpirate[.]cf
d[.]cpufan[.]club
krb[.]devphp[.]org[.]ua
nfwebminer[.]com
node[.]cfcdist[.]gdn
webxmr[.]com
xmr[.]mining[.]best
webminepool[.]com
webminepool[.]tk
hive[.]tubetitties[.]com
playerassets[.]info
tokyodrift[.]ga
webassembly[.]stream
okeyletsgo[.]ml
candid[.]zone
webmine[.]pro
andlache[.]com
bablace[.]com
bewaslac[.]com
biberukalap[.]com
bowithow[.]com
butcalve[.]com
evengparme[.]com
gridiogrid[.]com
hatcalter[.]com
kedtise[.]com
ledinund[.]com
nathetsof[.]com
renhertfo[.]com
rintindown[.]com
sparnove[.]com
witthethim[.]com
1q2w3[.]fun
1q2w3[.]me
cryptoloot[.]pro
bjorksta[.]men
crypto[.]csgocpu[.]com
noblock[.]pro
miner[.]cryptobara[.]com
digger[.]cryptobara[.]com
dev[.]cryptobara[.]com
reservedoffers[.]club
mine[.]torrent[.]pw
host[.]d-ns[.]ga
abc[.]pema[.]cl
mine[.]nahnoji[.]cz
webmine[.]cz
intactoffers[.]club
analytics[.]blue
smectapop12[.]pl
berserkpl[.]net[.]pl
hodlers[.]party
hodling[.]faith
chainblock[.]science
minescripts[.]info
cdn[.]minescripts[.]info
miner[.]nablabee[.]com
wss[.]nablabee[.]com
clickwith[.]bid
dronml[.]ml
niematego[.]tk
tulip18[.]com
p[.]estream[.]to
azvjudwr[.]info
jroqvbvw[.]info
jyhfuqoh[.]info
kdowqlpt[.]info
xbasfbno[.]info
1beb2a44[.]space
300ca0d0[.]space
310ca263[.]space
320ca3f6[.]space
330ca589[.]space
340ca71c[.]space
360caa42[.]space
370cabd5[.]space
3c0cb3b4[.]space
3d0cb547[.]space
*[.]hit[.]gemius[.]pl

 

Hosts File: 

cryptominer_hostsfile.txt

AdBlock Profile: 

 Crypto_adBlock.txt



Last edited: 17 February 2020 11:29 am