In-Browser Cryptojacking Is Getting Harder to Detect

Cyber-criminals aren’t stupid. If you find a way to block their code, they’re going to find a way to around your block.

That’s how it’s been for decades in the antivirus business, and this is exactly what’s happening right now on the in-browser cryptocurrency mining (cryptojacking) scene.

After becoming the hottest malware trend at the end of last year, several solutions have now appeared that are capable of detecting and blocking cryptojacking scripts. Antivirus software, ad blockers, and dedicated browser extensions are can now block browsers from loading JavaScript code from domains associated with cryptojacking services.

This, in turn, has led to diminishing returns for the people deploying these scripts, most of which are illegally added to hacked sites.

Proxy servers help crooks evade detection

The first evasion techniques have been seen in November last year, but are now becoming more popular among cryptojacking groups.

The most popular and widespread of these techniques is to deploy a “cryptojacking proxy server,” such as the CoinHive Stratum Mining Proxy, available on GitHub.

These proxy servers come with two advantages for cryptojacking actors. The first is that they allow crooks to host cryptojacking scripts on their own domains, and avoid loading it from the domain of the cryptojacking service (Coinhive, CryptoLoot, DeepMiner. etc.), which are detected by all anti-cryptojacking solutions.

Basic cryptojacking evasion
Basic cryptojacking evasion [Source: Malwarebytes]

Second, the proxy also allows crooks to use custom mining pools, which in turn allows them to detach the mining process from the cryptojacking service itself, and keep all the mined Monero without having to pay any fee to Coinhive or any of the other services.

Such proxies are now becoming a common practice, as seen by both Sucuri and Malwarebytes, two security firms that have been tracking such attacks in recent months.

In the long run, as these proxy systems become more popular, this will mean that many solutions —like ad blockers and dedicated browser extesnions— that rely on domain blacklists will soon become outdated and inefficient at blocking in-browser mining. At that point, users will only be able to tell when a cryptojacking script is present in their browser based on a high CPU usage counter only.