Talk @ FIRST 2019: Analyze & Detect WebAssembly Cryptominer


2019/06/17 @ FIRST conference 2019

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C.

More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.

First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.

Along the talk, I will used multiple open source tools but also Octopus, a Security Analysis tool for WebAssembly module, that I have developed and already available on Github (https://github.com/quoscient/octopus).

  1. Introduction
  2. WebAssembly Basics
  3. Module dissection
  4. Program analysis
  5. WebAssembly Cryptominers
  6. Analysis (Coinhive & Cryptoloot)
  7. Cryptominers detection
  8. Conclusion

link / slides