A JavaScript-based cryptocurrency miner earned the top spot in a list of the "most wanted" malware for December 2017. For its final Global Threat Index of 2017, Check Point observed Coinhive supplant Roughted, a large-scale malvertising campaign, as the most prevalent form of malware. This Monero-miner made waves back in October 2017 when it registered second place on Check Point's list for that month. Apparently, websites have increased their deployment of the sneaky bit of JavaScript code since then. Check Point's researchers provide two reasons for this upsurge in crypto-miners like Coinhive:
Ad-blocking software, stemming from users losing patience with excessive pop-up and banner advertisements, has been slashing many websites’ advertising revenue. Those websites are turning to crypto-miners as a new source of revenue – often without the knowledge or permission of the visitors to the website. Similarly, threat actors are turning to crypto-mining malware as a new way to make money – illegitimately gaining access to the users’ CPU power to mine for their own crypto currency – making it even likelier that we’ll see this trend gain steam over the coming months.
That would also explain why another crypto-miner called CryptoLoot came in at third place just behind the RIG exploit kit.
Check Point's top 10 "most wanted" malware for December 2017. Crypto-miners had a great year in 2017. These tools affected more than half (55 percent) of organizations globally, claiming 1.65 million users as a victims in the first eight months of the year alone. Those hapless individuals subsequently saw as much as 65 percent of their CPU power consumed when they visited media streaming, file-sharing, and similar types of websites that decided to deploy crypto-mining scripts without users' permission or knowledge. An ad-blocker won't do much to protect users against crypto-miners. Given the fact that Coinhive and others are based on JavaScript, however, users could install a browser extension like NoScript that blocks JavaScript by default. They can then enable only the code snippets of each site they want while preserving their CPU power.
