A Firefox extension called Image Previewer was discovered today that not only displays popups, but also injects a Monero in-browser miner into Firefox. While we have seen numerous Chrome extensions injecting in-browser miners, this is the first time I have seen a Firefox addon with this behavior.
The addon will then open the page https://devappgrant.space/lib/iframe.html?u=6081&t=0.5 in an iframe. This page contains the setup script for the in-browser Monero miner. The variables used in the URL are important as well as they specify the user id associated with the miner and the throttle, which is the percentage of time that the miner threads should be idle.
This setup script will cause the main miner script located at https://devappgrant.space/lib/xmr.main.min.js to load within 15 minutes.
This xmr.main.min.js script is the brains behind the Monero miner and contains the base64 encoded WebAssembly program that will be executed to mine for Monero. While mining, the miner will use up to 50% of the CPU processing power on the computer. This will cause the CPU to run at high intensity for a longer period of time, which could decrease the lifespan of the hardware.
As this miner is injected into the browser whenever Firefox starts, the only way to shut it down is to close Firefox, or even better, remove the addon altogether.
To remove the addon, open Firefox and press the Ctrl+Shift+A keys at the same time or click on the Firefox menu and select Add-ons to access the list of installed addons/extensions.
At the above screen, simply click on the Remove button next to the extension name to remove the addon.
Miners are becoming an epidemic and in-browsing mining is only going to get worse. Therefore, it is important that all users protect themselves by installing antivirus software that detects when a browser connects to known mining services such as CoinHive.
Unfortunately, new services keep popping up and it has become a game of whack-a-mole for the security industry. Therefore, your installed software may not detect the URL or scripts associated with a new in-browser miner.
To add further protection, you can use an adblocker, which will block in-browser mining scripts. For those looking for a more granular approach, you can use the CoinBlockerLists site to download lists of IP addresses and domains affiliated with in-browser mining.
Last, but not least, you should never install a Firefox addon directly from a site. Instead check to see if it has been added to Mozilla Add-on Repository. Any addons lists on Mozilla's site will have been evaluated for malicious behavior and been signed by a digital certificate.
Updated 1/31/18 11:26AM EST: Included information to not download addons directly from a unknown site.