Coinhive Crypto-Miner Now Affecting a Quarter of the World's Organizations

Written by

Crypto-mining malware has continued to grow globally, with 23% of organizations worldwide affected by the Coinhive variant during January.

That’s according to Check Point’s Global Threat Impact Index, which shows three different variants of crypto-mining code in its top 10 most-prevalent rankings. In addition to Coinhive impacting more than one in five organizations, JSEcoin (a JavaScript miner that can be embedded in websites) was in fifth place and Cryptoloot (which targets PCs) was in ninth.

Coinhive, January's No. 1 most-prevalent malware, performs online mining of Monero cryptocurrency when a user visits a web page. Implanted JavaScript uses the computational resources of the end user’s machines to mine coins, impacting system performance. While it’s offered as a legitimate service for webmasters looking for a monetization alternative to advertising, criminals often embed it into websites without the site knowing, and unscrupulous websites use it without letting site visitors know.

“Over the past three months crypto-mining malware has steadily become an increasing threat to organizations, as criminals have found it to be a lucrative revenue stream,” said Maya Horowitz, threat intelligence group manager at Check Point. “It is particularly challenging to protect against, as it is often hidden in websites, enabling hackers to use unsuspecting victims to tap into the huge CPU resource that many enterprises have available. As such, it is critical that organizations have the solutions in place that protect against these stealthy cyber-attacks.”

In addition to crypto-miners, Check Point researchers also discovered that 21% of organizations have still failed to deal with machines infected with the malware. Fireball, which came in at No. 2 in the rankings, manipulates victims’ browsers and turns their default search engines and homepages into fake search engines, which simply redirect the queries to either yahoo.com or google.com to generate ad revenue. It also can be used as a full-functioning malware downloader capable of executing any code on victims’ machines. It was first discovered in May 2017 and severely impacted organizations during summer of 2017.

The Rig Exploit Kit came in third for January, impacting 17% of organizations. Rig delivers exploits for Flash, Java, Silverlight and Internet Explorer.

On the mobile front, Lokibot, an Android banking Trojan, was the most popular malware used to attack organizations’ mobile estates. The code steals information, but it can also turn into a ransomware that locks the phone.

Lokibot was followed by the Triada and Hiddad mobile malwares in January. Triada is a modular backdoor for Android, which grants superuser privileges to downloaded malware. Hiddad is also an Android malware, focused on trojanizing legitimate apps then releasing them to a third-party store.

What’s hot on Infosecurity Magazine?