Browser monero crypto miner client implementation using wasm and web workers
DISCLAIMER: The demo app below will perform hash computations in order to mine cryptocurrency on my behalf, but the script is throttled so that it does not affect your device. There is no virus, and the script is ephemeral; once you leave the page, it stops working. This repository should only be used for educational purposes.
This project was one of several demonstrations I gave for my cybersecurity dissertation paper, "Browser-based fileless malware: cryptojacking and botnets." What you're looking at is a web-based crypto miner implementation.
The web client is using a wasm compiled version of cryptonight, the hashing algorithm used by monero. The reason for using this algorithm is that it is designed to rely on CPU power rather than GPU power, making it more efficient on the web. The hashing algorithm was compiled to wasm from C using emscripten and can be found in the /public directory; cn.js is a js wrapper around the binary file cn.wasm which contains the hashing function.
In order to not block the main/ui thread this app is using web workers, in theory this app should span a number of web workers equal to the number of logical processors available to run threads on the user's computer. Each web worker then is comunicating with the main thread that keeps a web socket connection to a monero mining pool (moneroocean). The connection to the mining pool is beeing proxied through a light node server, the reason behind this is to avoid detection from ad blockers or antiviruses which can block server requests to the wss://webminer.moneroocean.stream/ address.
The script files are obfuscated on the build process, this can be done on a cron job as well, this can assure that antiviruses can't banlist the file hash. There are also many ways of distributing this sort of malicious scripts one way beeing through an Iframe ad.
DISCLAIMER 2: This is a proof of concept, please don't use this for malicious purposes. There are obviously point of failures for this web app, such as the address to the proxy server that can be banned, there is also more performant ways of mining crypto on the web if thats what you are going for.
I shared more on this topic at this page with a simple demonstration on how you can hide the malicious script behind an iframe.
Other cool resource on the same topic:
- Browser as Botnet talk given at the Radical Networks in 2017
- Million Browser Botnet talk given at Black Hat 2013