Coinhive Injections in WordPress Sites

Delaware, USA – October 31, 2017 – Coinhive remains the most popular platform for mining Monero cryptocurrency in user’s browsers. Despite the creation of a cryptocurrency miner modification, which allows users to control mining process in their browser and even disable it, the original version of the Coinhive JavaScript miner is actively used by attackers for injection into the hacked WordPress sites. Researchers from Sucuri shared a study in which they described in detail the actions and capabilities of injected malicious code, not only in the WordPress but also in Magento, Joomla and Drupal. They also have found more than 500 compromised WordPress websites containing almost the same script that redirects users to the malicious website with the disguised Coinhive cryptocurrency miner installation pack.

It’s also worth mentioning that the Coinhive cryptocurrency miner is actively deployed into Android apps, Trend Micro recently discovered several malicious applications in the Google Play Store. Today, there are more and more threats that secretly use users’ CPU for cryptocurrency mining, creating the significant performance issues. Some adblockers are able to protect from such threat; Google promises to add tools into Chrome that will block JavaScript cryptocurrency miners. In the meantime, you can use SIEM use case Web Mining Detector for ArcSight to discover on your network devices that communicate with the cryptocurrency mining platforms and avoid performance issues.