Cryptominers Leverage Malicious Extensions and Fake Zoom Installers to Raise Revenue for Operators

For the last few years, ransomware, and ransom-based cyberattacks have been a major source of revenue for hackers. However, the year 2018 saw the rise of a new pervasive attack vector, cryptomining.

Internet-facing services, websites, and repositories are highly-sought after targets for threat actors seeking to deploy cryptominers. In the year 2019, a number of cryptocurrency mining operations had come to light for leveraging exposed Docker containers, internet-facing Kubernetes consoles, and vulnerable Oracle Logic servers. 

While the exploitation of previously-known vulnerabilities remains a common attack vector, cryptomining operations through malicious extensions has gained traction among hackers.

Pushing cryptominers through extensions

  • Shitcoin Wallet, a Chrome extension, injected malicious javascript codes on 77 websites to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. Some of the affected major crypto platforms included Binance and MyCryptoWallet.
  • A total of 49 extensions were removed by Google from its Chrome extension after they were found stealing crypto wallet keys. These extensions posed as genuine crypto wallet apps to trick users.

Other obfuscation techniques

Cryptocurrency mining hackers have adopted several other obfuscation techniques to deliver their cryptominers to victims’ machines without being detected.

  • Cryptojacker hid a Monero cryptominer inside a WAV audio file to infect victims’ networks with crytominers.
  • A malvertising campaign launched by the Domen toolkit used a fake VPN service as a lure to trap users into downloading a variety of malware including the IntelRapid cryptominer.
  • Amid the COVID-19 pandemic, threat actors used the popularity of Zoom to distribute Coinminer. The malware came bundled with a Zoom installer available on a third-party store.

How are web browsers tackling the threat?

  • Google Chrome is working on ‘Safety Check’ feature to clean up malicious extensions including those used for cryptomining. Over the years, Google has taken several measures to crack down on malicious software masquerading as legitimate extensions.
  • Mozilla released Firefox 67 to block extensions that enable cryptomining.

For users

  • Get familiarized with what permissions each browser extension uses by going to chrome://extensions/ and clicking on the “Details” tab for each extension.
  • Never download software from unknown sources.
  • Limit extensions to only execute on certain domains.