Since CoinHive domain made it into many blacklists, attackers began avoiding linking to the hosted library file https://coinhive .com/lib/coinhive.min.js. Instead, they uploaded this file to third-party sites. Some of the attempts to get rid of the coinhive.com domain look pretty naive. For example, injecting the whole library code into web pages.
Yes! Some attackers inject all 60+ kilobytes of the CoinHive library into the HTML code of infected web pages. It is hard to miss when you visually inspect code of such pages. It was funny to find that in one case the attackers tried to renamed the miner variable into animation to make the code look more acceptable.
On another site, the library was injected into a web page in an obfuscated format that made it even bigger. Again, the attackers went an extra mile to make it look less suspicious. They added this comment
<!--<script src="https://authedmine.com/lib/authedmine.min.js"></script>-->
Authedmine.com – is a version of the CoinHive JavaScript miner that always asks permission to start mining thus considered an acceptable use of a Monero miner on a website. However in the above case, the obfuscated code was not from authedmine – it was the silent coinhive.com version. No wonder the site begins mining coins full speed without any notifications as soon as you open it.
And by the way, when you copy all the CoinHive library code (even obfuscated) to a third-party site it still makes requests to CoinHive domains, so it’s easy to detect and block.
For articles about more sophisticated “cryptojacking” hacks please check our blog.
If your site is a victim of such attacks, we can help to clean and protect it.