Talk @ FIRST 2019: Analyze & Detect WebAssembly Cryptominer


2019/06/17 @ FIRST conference 2019

More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.

First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.

  1. Introduction
  2. WebAssembly Basics
  3. Module dissection
  4. Program analysis
  5. WebAssembly Cryptominers
  6. Analysis (Coinhive & Cryptoloot)
  7. Cryptominers detection
  8. Conclusion

link / slides