Heimdal Security has been monitoring the Coinhive malware for the past months. The recent information about Coinhive website injections is just the tip of the iceberg. Users are extremely exposed to the threat of hitting their computers directly.

Thousands of government websites, including the NHS, have been victims to script injections. The users visiting them have had their CPU hijacked to mine Monero currency for cybercriminals.

The recent media mentions surrounding injected Coinhive scripts are widespread but widely understate the magnitude of the problem.
Injecting Coinhive Javascript into websites is an easy feat for malicious actors, who also target plugins widely used and rarely inspected. Since it is a script injection, it will almost always go unnoticed by the host site and the client receiving it.

However, everyone seems to be forgetting how easy it is to replicate these Javascript injections for other malicious purposes, such as malware delivery to end users. This kind of attack can often bypass antivirus detection because it is created to do exactly that,”

says Morten Kjaersgaard, CEO of Heimdal Security.

Coinhive is a cryptocurrency mining tool for the Monero Blockchain that uses Javascript. When visitors access a site that hosts the Coinhive script, their CPU is used to mine cryptocurrency for third-parties. Worse off, the browser itself can be hijacked.

The intention behind Coinhive was originally positive, aiming to give content creators another stream of revenue.

The core problem here is that the Javascript used by Coinhive can easily be integrated into a website, but it can only run while the session is open. Coupled with the anonymous, encrypted nature of Monero transactions, the transition to malware was inevitable.

If integrated and hidden into malware, it will run every time an endpoint starts and it will go undetected by antivirus because Javascript is not detectable like normal files.

Our threat intelligence shows that these types of integrations have already happened. The Coinhive problem is magnitudes larger than currently reported, especially because the script can be embedded into Internet Explorer.

Users who are exposed via websites have only a limited mining window while the session is active. However, if run locally on the endpoint, the browser poses no such restrictions.

Our intelligence shows that about 2% of corporate and consumer PCs are trying to connect to the Coinhive servers – that’s a high number and there needs to be more awareness drawn to these issues,

added Morten Kjaersgaard.

Cryptocurrency Security: How to Safely Invest in Digital Currency

JavaScript Malware – a Growing Trend Explained for Everyday Users

Malicious Script Injections Use Nemucod To Spread Cerber Ransomware

Security Alert: TeslaCrypt Infections Rise, Hit European Companies


I am really shocked that this really happened.I am more suquer after read this informatic post,So thank you for this beautiful post.

It is obvious users will get threaten by these kind of new viruses but soon there are lot of security which can filter them.

Leave a Reply

Your email address will not be published. Required fields are marked *