Hacked routers running the Coinhive script for mining cryptocurrency have been injected with new code to mint digital coins after Coinhive service shut down.
The end of the Coinhive service resulted in a significant drop in web-based cryptocurrency mining but it did not put an end to this activity. Almost two months after the service’s demise, its code continues to linger on a large number of compromised websites and devices.
There is no activity, though, as the service was essential in establishing connections between a client and a server, so no mining is possible now.
Jérôme Segura at Malwarebytes published an overview of the web-based cryptojacking activity after Coinhive fell and says that recent telemetry data still shows an average of 50,000 Coinhive blocks per day.
In its good days, there would be more than 150,000 blocks per day, with peaks going well beyond the 200,000 mark.
Malwarebytes observed the script on a Mikrotik device, which have been a constant target last summer for cryptocurrency mining campaigns pushing the Coinhive script.
The WebMinePool service is promoted as a “multifunctional mining service for site owners and individuals” and does not run an email verification at sign up, which is an invitation to abuse.
The script is simple and allows setting the number of CPU threads that should be used as well as the percentage. In the example below, the script uses four threads at 70%.
Injecting a cryptocurrency mining script in a router ensures that it can be served to all devices connected to it, which do the actual mining. This is a simple way for criminals to scale their operation and increase their profit with little effort.
CryptoLoot, a major competitor for Coinhive back in the days, is…