Cryptomining Software Propagates Through Facebook Messenger

The cryptocurrency Monero (XMR) provides a way of being part of a mining pool and for computers to work on part of the problem, and thus distribute computing resource. In this way, a mining pool increases its chances of winning the reward for finding the hash signature required to confirm recent transactions. This provides a new revenue source for companies, and where a script can run within a Web page and then use the CPU resource of the host to run the mining process.

Monero builds in a degree of privacy into the transactions (which Bitcoin lacks) and there is currently is no specialised hardware for mining, so anyone with computing power to spare can mine it.

With Bitcoin, only the entity who wins the competition is rewarded, and the fastest miners, or those companies with the most miners, will often have the best chance to win. But, in Monero, a pool of computers can be created and where they will share the reward if the pool wins. This allows computers to work on a small part of the mining task, and which contributes to solving the larger task. The larger the pool, the more chance there is of winning the reward.

Facebook Messenger Mining

Now researchers at Trend Micro have detected the mining software being propagated through Facebook Messenger, and have reported that the script could even take over the user's Facebook account. Currently, the malware has been spotted in South Korea, Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand and Venezuela, and Facebook are now on-alert to detect its propagation.

The botnet has been named "Digmine" looks like a video file. It is spread via Facebook Messenger using Google Chrome, and once executed it downloads its required software components from a Command & Control (C&C) site. After this, it creates an autostart feature and installs itself into Google Chrome, in order to start mining for Monero. As with many other types of malware, it then seeks others to infect:

Figure: Ref Trend Micro

An example of the propagation is shown below, and where it is sent with the "You're friends on Facebook" message:

Figure: Ref Trend Micro

Once the components have been downloaded, the "updater.exe" program is used to install an extension into Google Chrome, which then which runs "miner.exe" (and which is an open-source miner Monero miner known as XMRig):

Ref: Trend Micro

Transneft and Starbucks

The rise in the value of cryptocurrencies has created a lucrative market for mining. Just this week a Russian pipeline operator - Transneft - found that its systems have been mining Monero. Recently, too, a Starbucks in Buenos Aires was found to have a 10-second delay in connecting to the Internet, when so that the cryptocurrency could be mined. Noah Dinkin identified the mining, and outlined the source code used:

Starbucks has since identified it as an isolated incident and related to the ISP (Internet Service Provider).

The Private Bay

Recently the Pirate Bay were been pinpointed in running advertisements which mine for cryptocurrencies, and thus gain revenue. The code used - Coinhive - is JavaScript miner for the Monero Blockchain and is offered to companies as a way of creating revenue in proving free content (such as in gaming). An issue with the current Pirate Bay implementation is that there is no opt-on on the service, as the code will run within the supplied advertisements.

Coinhive uses Node.js in order to run code efficiently within the browser. Node.js is is increasingly used within a distributed computing environment, and which allows for JavaScript code to be run directly on the computer. It also integrates with a wide range of associated libraries. The Coinhive code itself uses the coin-hive library, and can mine for Monero for a specific pool ( in this case it is xmr-eul.nanopool.org):

const CoinHive = require('coin-hive');
(async () => {
  const miner = await CoinHive('<YOUR-MONERO-ADDRESS>', {
    pool: {
      host: 'xmr-eu1.nanopool.org',
      port: 14444
    }
  });
  await miner.start();
  miner.on('found', () => console.log('Found!'))
  miner.on('accepted', () => console.log('Accepted!'))
  miner.on('update', data => console.log(`
    Hashes per second: ${data.hashesPerSecond}
    Total hashes: ${data.totalHashes}
    Accepted hashes: ${data.acceptedHashes}
  `));
})();

Coinhive allow the code to be used on free services, but strongly advice that users are informed about the mining service:

The miner itself does not come with a UI — it's your responsibility to tell your users what's going on and to provide stats on mined hashes.

While it's possible to run the miner without informing your users, we strongly advise against it. You know this. Long term goodwill of your users is much more important than any short term profits.

In response Pirate Bay have highlighted that is it only testing the miner:

As you may have noticed we are testing a Monero javascript miner.

This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running.

Let us know what you think in the comments. Do you want ads or do you want to give away a few of your CPU cycles every time you visit the site?

Of course the mining can be blocked by a normal ad-blocker.

Note :

Initially there was a small typo so all CPU for a client was used. This should be corrected now so only 20-30% should be used.

Also it is restricted to run in one tab only so even if you have 10 tabs oven it will only be running in 1.

An interesting admission is that they initially had a "bug" in their which throttled the CPU to 100%, but have now set this at 20-30%.

The harvesting of CPU cycles is an interesting business model in providing free services, but one must wonder if users will understand its application. Normally ramping up CPU cycles on a laptop or a mobile device will be noticed with a large battery gain or where the fan goes on (and drains more battery). For this type of advertising, it does seem that users should be informed when they are exposed to CPU harvesting.

File sharing sites have been searching for new businesses models in order to support their operations, and CPU harvesting seems to be a possible contender. It is estimated that The Pirate Bay earned the around $43,000 over a three-week period using adverts which used the harvesting infrastructure.

The feedback from users, though, has not been good up to now, with complaints of the CPU rising to 80-85% loading:

The Pirate Bay, after significant problems around being blocked by ISPs, has made a general recovery in attracting users, and is now in the Top 100 sites in the world (and is on a general upward trend):

Conclusions

With cryptocurrencies providing a lucrative revenue, your CPU will increasingly be seen as a target for mining software, so what that CPU loading!