Rishikesh Bhide & Tejas Girme, Qualys

In recent months, Cryptojacking attacks have gone mainstream mainly due to its ability to monetize in comparatively easy, effortless and scalable manner, which wasn’t the case with ransomwares. During initial days, attackers were exploiting vulnerabilities in popular websites to host JavaScript based miners. As security products started identifying cryptominers as a major threat, browser-based miners started evolving their techniques to be more evasive. We have been tracking active cryptojacking threats across the globe in past several months and have analyzed how cryptominers have evolved over the course of time.

This paper presents a thorough analysis of evolution of cryptominer, their infection mechanisms and evasion techniques used to perform cryptomining attacks. We will also talk about ongoing advancements in detection techniques for effective blocking of browser-based mining threats. Following are the key points we will touch upon:

• Infection vectors
• Exploiting vulnerable websites
• Third party services
• Mining via browser extension
• Evasion techniques
• Hosting behind proxy
• Leveraging content delivery services like pastebin & github
• Obfuscation & dynamic injection

We will also be presenting some case studies which will focus on active cryptojacking campaigns. We have evaluated the impact & spread of these active campaigns based on supporting data which we have gathered and analyzed in past several months. We will present the data & analysis to the audience.