Web-based cryptominers are malware – Cryptominers running in a browser without an organization’s consent are parasitic and should be considered malware.

Legitimate cryptomining programs ask users for permission to run. Malicious versions don’t, opting instead to quietly leach a computer’s resources. SophosLabs is seeing more of the latter variety, with a new twist:

Instead of showing up as executable files, they take the form of scripts hidden on websites, mining for cryptocurrency in the browser. Visitors to these sites see no evidence of the mining. The only clues that something may be amiss are their computer slowing down and their fans revving up.

A clear example of this is Coinhive, a Monero miner that first appeared in mid-September. The number of sites hiding it has steadily increased in recent weeks, as cryptocurrency values have taken a wild trajectory skyward.

Given their parasitic nature, Sophos has decided to start tagging Coinhive and other JavaScript-based cryptominers as malware to be blocked when users stumble upon a site harboring them.

Sophos CTO Joe Levy explains, “Our position is that when this software is run in any user’s browser without an organisation’s consent, it is parasitic, and should be considered malware because we don’t have something called parasiteware today. In instances where an organisation really wants to donate its CPU/GPU cycles, and where the mining operation has gone to sufficient lengths to enable vendors like us to easily differentiate between consensual and non-consensual versions, then we can have a discussion about different classifications

Cryptomining takes a sinister turn

Cryptomining is a process used to discover Bitcoin, Monero, and such other cryptocurrencies as Ethereum and Litecoin. It requires massive amounts of computer processing power, which slows down performance and leaves wear and tear.

This wasn’t always a problem because the activity was largely limited to those who chose to do it. That began to change as cryptocurrency prices skyrocketed. A single Bitcoin was worth $1000 at the start of 2017 and was valued at around $17,000 by year’s end. Cyber thieves have taken notice and started using cryptominers to make money.

JavaScript miners like those from Coinhive are added to websites and run in the browser, using visitors’ CPUs to generate cryptocurrency. Users may notice poor performance, a spike in CPU usage and batteries draining faster than usual. Coinhive also works on mobile devices and over short periods the user may notice the device’s temperature increasing dramatically.

Coinhive rises with cryptocurrency values

As the value of such cryptocurrencies as Bitcoin (BTC) and Monero (XMR) skyrocketed in the last couple of weeks, SophosLabs has noticed a steady rise in sites using Coinhive scripts. Coinhive markets itself as an alternative source of revenue to advertisements. Infamous torrent site The Pirate Bay is among those to have used its code and neglected to tell visitors it was using their browsers to mine cryptocurrency. The site embedded Coinhive JavaScript code on search pages to mine for Monero. It’s this sort of activity that is leading Sophos to take a tougher stance.

From PUAs to malware

Sophos previously detected cryptominers as PUAs (Potentially Unwanted Applications), which meant no automatic cleanup. Admins were instead presented with alerts for PUA detections and could manually choose from three possible options: Cleanup, Authorize or Acknowledge. For Coinhive and equivalent web-based JavaScript miners, the situation is now different. Customers using Web Control will now see something like this off the bat:

What to do

Sophos customers can block cryptominers by using the Web Control features included in our Endpoint and Network Protection products.  Once enabled, blocking websites categorized as “Hacking” will stop users from visiting the offending sites. Customers can read our Knowledge Base article to find out more about how to block JavaScript cryptominers.