Hackers Use CoffeeMiner to Hijack Public wifi hotspots to mine cryptocurrency

Posted on January 10, 2018 at 3:53 PM

Hackers Use CoffeeMiner to Hijack Public wifi hotspots to mine cryptocurrency

It seems like public wifi networks are becoming even more dangerous as its now being used to deploy cryptocurrency mining malware.

A new research report indicates that hackers recently developed a new crypto hacking technique which involves exploiting a public Wifi network to hijack victims’ CPUs to covertly mine cryptocurrency. The findings were published in a report by the software developing firm, Arnau Code. The report includes a detailed proof-of-concept (PoC) of the malware, known as “CoffeeMiner” as well as a description as to how the malware operates. The report notes that the malware targets personal devices connected to the affected Wifi network which are common in public areas such as airports and cafés.

Arnau Code published a blog post last week Thursday wherein which the author states that the firm became curious about the phenomenon after reading about users who fell victim to cryptocurrency mining malware after connecting to a public Wifi network.

According to the report, CoffeeMiner works similarly to man-in-the-middle (MitM) attacks. MitM attacks operate by adding malicious Javascript code into the HTML page visited by the victim. The attack is then completed by communicating spoofed Address Resolution Protocol (ARP) signals via the dSniff library which impacts the targeted network. This attack essentially then enables the hacker to intercept all traffic on any given public Wifi network.

Hackers generally use the mitmproxy tool to insert the malicious Javascript code into the HTML pages, which impacts users once they visit the website using a public wifi network. In an attempt to keep the process as simplistic as possible, hackers insert only a single line of Javascript code, which activates the cryptocurrency mining malware.

After this process, the malware is implemented on the HTTP server. In the case of CoffeeMiner, the hackers used the somewhat notorious Coinhive script which allows users to mine Monero. Coinhive has been under fire recently because their product has become associated with hackers and dishonest mining endeavors, however, the company maintains that its mining software was created to allow web administrators generate an additional stream of revenue in a legitimate and transparent manner.

According to Arnau Code, the CoffeeMiner code performs the ARP spoofing attack which enables the mitmproxy to insert the Coinhive script. In turn, this script will infect personal devices to mine Monero without the victims’ consent or knowledge.

Any personal devices connected to the compromised network is likely to become infected. The CoffeeMiner malware script essentially hijacks a large portion of a device’s CPUs, which means that victims’ device performance is likely to be affected.

However, Arnau Code notes that the attack’s success might be compromised by the amount of time users actually spend on an HTML page.

The software developing firm states that the Coinhive script works at optimum efficiency if users spend a medium to long amount of time on the given web page. However, the success and profitability are likely to be compromised in this malware campaign especially considering that users spend an average of 40 seconds per session. The company was more interested in testing medium to long-term sessions in order to efficiently calculate hashes, which in turn mines Monero.

According to the specific researcher behind this experiment, he has already successfully tested CoffeeMiner using real-life scenarios.

The blog post states that it has been proven that CoffeeMiner and similar malware attacks can be performed easily and successfully while using a public Wifi network allows the hacker a degree of anonymity. The blog post continued to muse that this attack could perhaps be modified in the future by perhaps implementing an autonomous Nmap scan feature, which will automatically add the victims’ IP addresses to the CoffeeMiner victim list. In addition, the blog post suggests adding a sslstrip feature which will insert the mining code into HTTP addresses.

Several researchers have already warned users about the many risks associated with public wifi networks, as public networks are often used in malware techniques as well as a host of other cybercrimes.

Recently, a public Wifi network of a Buenos Aires Starbucks was discovered to carry a mining script malware. The attacker exploited the network in order to use connected devices to mine Monero. Starbucks responded to the incident by blaming their local internet service provider and emphasized that it was an isolated instance.

Article Name
Hackers Use CoffeeMiner to Hijack Public wifi hotspots to mine cryptocurrency
It seems like public wifi networks are becoming even more dangerous as its now being used to deploy cryptocurrency mining malware.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading