2.09.2018

Cryptomining with javascript: oh noes!

Most of anyone who may happen to find this page should know by now many antivirus companies, ad/script blocking companies, and blacklist companies have been blocking cryptomining tools like coinhive's javascript api tool. The reasons for doing this is basically despite it being obvious in the code that people /did/ want users of their site to help them mine while on the site, its also considered unknown to the user until their cpu usage goes waaay up. Like being on facebook, people are complaining more and more that their cpu usage is running crazy after visiting sites (maybe if they got off facebook they'd realize how much less of a waste it is than being on facebook, but who knows).

So lets play some games here:
https://coinhive.com/

Gonna generate a username for a gmail account, then use that gmail account for this experiment. This also lets me provide y'all with a gmail account because you lazy security people won't do it yourselves. For this, I'll hitup randomuser.me's api page:

Welcome to Scapy (2.3.3)
>>> import requests 
>>> requests.get("https://randomuser.me/api", verify=False).json()['results'][0]['login']['username']
/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
u'crazyfish907'

 crazyfish907@gmail.com - SuperTux - (both gmail account and coinhive account)
site Key (public): VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl
 
Now that this junk is out of the way, lets go through this and see what we can do to get ourselves flagged or blacklisted or whatever else we can do.  https://coinhive.com/documentation/miner -> under the synopsis part should be basic enough to get us running. But I'm going to load the js miner from my own copy of it, because why not. ;)

<html>
<title> Experiment Miner Party </title>
<body>
<script src="coinhive.min.js"></script>
<script>
        var miner = new CoinHive.Anonymous('VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl', {throttle: 0.9});
        miner.start();
</script>
</body>
</html>
See, this should be easy enough.  http://0daz.io/miner.html of which, wow trust wave already has this set to malicious (https://www.virustotal.com/#/url/f3d7e1faefed7ee1d6e58450b645d26f131debfb85a50563d28cd24c3f8aa0da/detection).

So, I realized I don't have a monero account, lets fix that. My private key from MyMonero (well, private enough for me to share publicly ;) ): gutter boss being budget army umbrella ethics eternal jittery offend afield stellar gutter -> address: 49pJYQxPDkE7fzM1rqeg6sUn5RizMuj1TULqpCPLwMmdTzxg3n3pLjEV95KfnMxSAKGDjRL9qBYsn6cFyxjBzw2XAgVV2v3


Now then, we're all set. Guess this makes me a criminal right? Settings up a mining software on a public website?

/sigh/



BUT WAIT! THERE'S MORE!

Lets also go ahead and see just what that javascript file I stole from them does. To start with, I'll set the entire script up in the online javascript beautifier (http://jsbeautifier.org/) and hopefully we have a nicer output.

http://0daz.io/coinhive.min.js

It looks a little nicer, but still pretty much like shit. But anyway lets see here.

- function for the window
-- variable miner which takes parameters associated and the site key
--- site key is used for CoinHive.Auth
---- coinhive auth seems to spawn from asmjs worker function so lets dig into that. (https://coinhive.com/lib/worker-asmjs.min.js)
----- Because I wanted my output beautified, I'm going to again clone the code for educational purposes and post a copy after being ran through the jsbeautifier. http://0daz.io/worker-asmjs.min.js
------ On this code we can see the Auth_URL, miner_url, and captcha_url. I really only care at the moment about miner and auth data. Really this is pretty much just the entire part of the cryptonight worker blob part shown in the first page. Looks nicer now though. ;)
----- miner_url: view-source:https://coinhive.com/media/miner.html -- this pretty much shows us examples of how this could/should be made.
----- Auth_URL: view-source:https://authedmine.com/authenticate.html The following part is pretty much all I care about on this page:


if (queryParam('theme') === 'dark') {

document.body.className = 'dark';

}

document.getElementById('content').style.display = 'block';





// Adjust IFrame height

var p = window.parent;

p.postMessage({type: 'coinhive-auth-height', params: {

height: document.body.clientHeight + 32

}}, "*");



// Handle buttons

document.getElementById('cancel').addEventListener('click', function(){

p.postMessage({type: 'coinhive-auth-canceled'}, "*");

});



document.getElementById('accept').addEventListener('click', function(){

var xhr = new XMLHttpRequest();

xhr.onreadystatechange = function() {

if (xhr.readyState === xhr.DONE){

p.postMessage({type: 'coinhive-auth-success', params: {

token: JSON.parse(xhr.responseText).token

}}, "*");

}

};

xhr.open('POST', '/auth/');

xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");

xhr.send('auth&key='+encodeURIComponent(siteKey));

 Which seems to be:
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl"}).text
u'{"token":"1518280609.777d618e78957ca66a55517f7bd0e3c0"}'
------ What do you suppose this here token is?
------- some little games to play, for study purposes:
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl"}).text
u'{"token":"1518280609.777d618e78957ca66a55517f7bd0e3c0"}'
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp2"}).text
u'{"token":"1518280843.dd6de251c1edd0df3de9e445500c65b4"}'
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp3"}).text
u'{"token":"1518280848.87d106d9b0ffb41887eaa4ff4b44e034"}'
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp4"}).text
u'{"token":"1518280853.586ce5cb2a256fd3bb728d7053935f03"}'
>>> len(requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp4"}).json()['token'])
43
>>> len(requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp4"}).json()['token'].split(".")[1])
32
Did you see it? did ya? predictability patterns maybe? Generate whatever you want? Anyway, that's not my point here.

My point:
  • There isn't really anything malicious with the code, and just because something uses the "CoinHive.CRYPTONIGHT_WORKER_BLOB or anything related to cryptonight, doesn't make it malicious. 
  • Yes, you can make this entire chain run without needing a secondary validation, that's why people are weaponizing it. 
    • To weaponize, which we didn't really discuss, simply setup the page to a single blob, run blob with cscript (you know how to get there already if you are wanting to do this sort of thing. I shouldn't have to explain that one). 
    • If you find other ways to escape, drop it in the registry and load your key from a dynamic page online, use a bitly link if you want statistics on your campaign's success once on the systems ;)
    • Pretty much weaponizing this into malware requires the already well known javascript tools and iocs leveraged with any driveby download if they want it to escape being part of a single webpage. 
      • If you want to weaponize it under the sense of cryptomining procedures leveraged for other purposes, like the entirely well written chain of events to dump onto the runtime stack? Maybe leverage this to play some games with some people? leverage this as a driveby download technique involving escape patterns due to replacing stackalloc with something else? idk, that's up to you and your art to determine. 
  • I was asked what the real risk is with this and it's largely thus:
    • Enterprises should be using best practices, like script blocking, ad blocking, etc... before hand. They should also be using exploit monitoring tools (malwarebytes anti exploit anyone?) and antiviruses (some have exploit monitoring built in), which should be able to determine and block this type of activity. 
    • Facebook games will be the biggest threat.  People allow whatever the hell the page tells them in order to play facebook games. You could drop a rat, mine for days, really whatever you wanted and no one would know the difference.
    • Let people get paid for their sites so we can once and for all STOP using ads. 
    • If someone weaponizes it, you should be used to monitoring for signs of infection, not signs of day to day activity.
With all that said, have a good day. When you see the next news or blog article about how terrible the "problem" of "Cryptojacking" or "unauthorized mining" is, remember: its either this or we continue supporting ad networks. One of these two options is intrusive, aids in infecting computers, and wastes resources even when not on page. The other is mining tools.

K thnx. 

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour





No comments:

Post a Comment

2am rant