How it works
The file in question is a .net executable file (0x231a3fbbc025c659be407c316aba4392f8a13915f08580398bca21082723dbf8), and .net executable files can contain various element to define different resources used by the executable. One of the resources defined within the resource section of this executable defines a user interface window (aka a form) named Form1. When we looked closer at the code that defines this form, we saw that it contained a script tag that references the Coinhive in-browser mining script, which is a clue to what this executable might do.
“This WebBrowser class enables the malware to navigate web pages inside the form and, as long as the form remains hidden, there will not be any visible cues that a browser is running.”
This DocumentText property of the WebBrowser class manipulates the contents of an HTML page displayed in the WebBrowser control using string processing tools. This means that the Navigating, Navigated, and DocumentCompletedevents occur when this property is set, and the value of the URL property is no longer meaningful so will be ignored. Instead, the DocumentText property is loaded by the browser object which causes the coin-mining script to run. This gives the effect of running web browser based functionality but without a browser to be seen.
To make sure that the mining restarts after each reboot, the originally executed PE file is also added to the Startup folder with the name windata0.exe.
Tell-tale signs of browser mining
The usual tell-tale sign of browser-based coin mining is a sudden, unexpected and sustained ramp up in CPU activity. This usually manifests itself as sluggishness in the computer’s performance. When these symptoms are encountered while browsing the internet, a user might suspect that browser mining is taking place. But with an executable based browser miner, like the one discussed in this blog, the user won’t see any browser windows open so may not suspect the slowdown to be a symptom of coin mining and may, for example, blame installed software for the problem.
However, using some simple tools allows us to see what’s responsible for maxing out the CPU. Using Windows Task Manager we can confirm the CPU load on the computer and, with some additional system analysis tools, we can see a number of network connections being made to coinhive.com, which confirms the presence of a miner using Coinhive scripts.
We can also capture WebSocket traffic using network analysis tools and see the traffic sent between the miner and the server, which may include calculated hashes sent to the mining pool while the mining code is running.
Detection of browser-based mining activity remains high
As already mentioned, browser-based miners became quite prevalent in the last few months of 2017. We can see the percentage change when looking at our network protection telemetry.
Even with the recent large drops in cryptocurrency values since late January, incidents of browser-based cryptocurrency mining remains high.
As we have seen in this blog, the criminals behind illegitimate mining continue to find new ways to highjack their victims’ processing power in order to enrich themselves. Symantec will continue to monitor their activities and respond in kind.
Intrusion Prevention System (IPS)
Signatures related to browser-based miners: