Stats in figure 1 shows the daily server hit of CoinHive malware from the first 10 days of Feb 2018.
Analysis by Quick Heal Security Labs
The malware drops a copy of itself with hidden attributes onto the following location (fig 2), which is executed.
Registry entries shown in Fig 3 are added to enable its automatic execution at every system start-up.
In an attempt to block access to antivirus vendor’s web and update servers, it modifies the Windows HOSTS file. As a result, the websites of several antivirus vendors may become inaccessible and some antivirus programs may stop receiving updates. Fig 4 represents the content added in the HOSTS file.
More registry entries are modified to disable registry tools, disable folder options, disable user account control, and also delete the following registry entries in order to disable Safe Mode (Fig 5).
Fig 6 shows the content of CoinHive script appended in the HTML files. As per the official information, “yuNWeGn9GWL72dONBX9WNEj1aVHxg49E” is the user site key.
CoinHive.min.js which came as a response is shown in fig 8.
When the script is running, complete CPU usage is taken for mining as shown in fig 9. When the infected HTML page is closed, the mining stops. In this particular family of malware, mining starts when the malicious HTML file is executed by the user and stopped when the file is closed.
Malware authors are using mining services in one way or the other for financial benefits. We advise our users to avoid browsing suspicious websites and keep their antivirus up-to-date to prevent their systems from being infected by these malware.
Quick Heal blocks CoinHive script to protect their customers from unauthorized mining and extensive CPU usage. Quick Heal also deletes and repair infected files successfully.
Quick Heal Detections
- Malicious files are detected as “W32.CoinMiner.A4”
- Malicious HTML files are detected as “HTML.Miner.A”
Indicators of compromise
Subject Matter Expert
Preksha Saxena, Rumana Siddiqui | Quick Heal Security Labs