Coinhive Injections Are a Real Threat

Coinhive Injections attack can often bypass antivirus detection.

Heimdal Security team has been monitoring the Coinhive malware for the past months. The recent information about Coinhive website injections is just the tip of the iceberg. Users are extremely exposed to the threat of hitting their computers directly.

Thousands of government websites, including the NHS, have been victims to script injections. The users visiting them have had their CPU hijacked to mine Monero currency for cybercriminals.

“The recent media mentions surrounding injected Coinhive scripts are widespread but widely understate the magnitude of the problem. Injecting its Javascript into websites is an easy feat for malicious actors, who also target plugins widely used and rarely inspected. Since it is a script injection, it will almost always go unnoticed by the host site and the client receiving it. However, everyone seems to be forgetting how easy it is to replicate these Javascript injections for other malicious purposes, such as malware delivery to end-users. This kind of attack can often bypass antivirus detection because it is created to do exactly that,” says Morten Kjaersgaard, CEO of Heimdal Security.

Coinhive is a cryptocurrency mining tool for the Monero Blockchain that uses Javascript. When visitors access a site that hosts the Coinhive script, their CPU is used to mine cryptocurrency for third parties. Worse off, the browser itself can be hijacked.

The intention behind Coinhive was originally positive, aiming to give content creators another stream of revenue.

The core problem here is that the Javascript used by it can easily be integrated into a website, but it can only run while the session is open. Coupled with the anonymous, encrypted nature of Monero transactions, the transition to malware was inevitable.

If integrated and hidden into malware, it will run every time an endpoint starts and it will go undetected by antivirus because Javascript is not detectable like normal files.

“Our threat intelligence shows that these types of integrations have already happened. The problem is magnitudes larger than currently reported, especially because the script can be embedded into Internet Explorer. Users who are exposed via websites have only a limited mining window while the session is active. However, if run locally on the endpoint, the browser poses no such restrictions. Our intelligence shows that about 2% of corporate and consumer PCs are trying to connect to the servers – that’s a high number and there needs to be more awareness drawn to these issues, added Morten Kjaersgaard.

More information is available at