2019/06/17 @ FIRST conference 2019
More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.
First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.
- Introduction
- WebAssembly Basics
- Module dissection
- Program analysis
- WebAssembly Cryptominers
- Analysis (Coinhive & Cryptoloot)
- Cryptominers detection
- Conclusion