Browser Cryptominer

Finally found a live site mining crypto currency tonight. Really quick post on detection.

WARNING! As of this writing, this site drives CPU to >70% and mines cryptocurrency. As far as I can tell, that's all it does, but you know...

So first, the site in question: http://www.arrowheadology.com/

First thing I notice, since I have a Logitech G15, is my CPU go from it's typical load of ~20% CPU to ~75%. I always find it kind of nice to know how much RAM my 7 windows and 100+ tabs are using[1], but it's fun to know exactly when a site starts stealing all my CPU as well.

First, where is my CPU going?

So is this even a cryptominer? By the CPU I say yes, but where exactly is that CPU going? On Chrome, open developer tools (while on the site of course) with CTRL+Shift+i and look for the Performance tab. You should see a record and refresh button[2]. Click this, and give it a few seconds.

Once finished, you should clearly see a fairly solid ribbon of CPU usage on the timeline. Highlight a portion of this, look under Event Log, select one of the DedicatedWorker Threads, and expand the tree from there. The image in the footnotes makes this a lot more clear[3]. As you can see, we have CryptonightWASMWrapper.hash, pretty clear evidence.

But where is the script? What URL is associated?

For that we can move over to the Sources tab, still under developer tools. Under network, we can start expanding some of the resources until we find what looks like it[4]. Click the double braces "{}" in the preview window to make the script pretty, and there we have it!

Lastly, here's the script itself, and where that URL goes (via urlscan.io, so safe to visit).

Resources:


  1. https://i.imgur.com/qzuO6Cg.png ↩︎

  2. https://i.imgur.com/U13CAsS.png ↩︎

  3. https://i.imgur.com/Uhpp1j8.png ↩︎

  4. https://i.imgur.com/swy2tBI.png ↩︎