A Firefox extension called Image Previewer was discovered today that not only displays popups, but also injects a Monero in-browser miner into Firefox. While we have seen numerous Chrome extensions injecting in-browser miners, this is the first time I have seen a Firefox addon with this behavior.

The Image Previewer addon is promoted by web sites that pretend to be a manual Firefox update, but in reality push a Firefox addon to the visitor. This is done through repeated Javascript alerts and user authentication prompts that push the user into installing the addon directly from the site.

Fake Firefox Update Page
Fake Firefox Update Page

When this addon is installed it will inject an iframe to a Javascript file that monetizes sites that you visit using popups, link click hijacking, and ad injection. This is done by first connecting to http://searchye.tools/cfg/cnt.json, which will respond with a URL that will be injected into the page as shown below

Injected Script
Injected Script

The addon will then open the page https://devappgrant.space/lib/iframe.html?u=6081&t=0.5 in an iframe. This page contains the setup script for the in-browser Monero miner.  The variables used in the URL are important as well as they specify the user id associated with the miner and the throttle, which is the percentage of time that the miner threads should be idle.

This setup script will cause the main miner script located at https://devappgrant.space/lib/xmr.main.min.js to load within 15 minutes.

Part of the In-Browser Miner Loader Script
Part of the In-Browser Miner Loader Script

This xmr.main.min.js script is the brains behind the Monero miner and contains the base64 encoded WebAssembly program that will be executed to mine for Monero. While mining, the miner will use up to 50% of the CPU processing power on the computer. This will cause the CPU to run at high intensity for a longer period of time, which could decrease the lifespan of the hardware.

Task Manager Showing Firefox Using 50% of the CPU
Showing Firefox Using 44% of the CPU

As this miner is injected into the browser whenever Firefox starts, the only way to shut it down is to close Firefox, or even better, remove the addon altogether.

To remove the addon, open Firefox and press the Ctrl+Shift+A keys at the same time or click on the Firefox menu and select Add-ons to access the list of installed addons/extensions.

Extension List
Firefox Extension List

At the above screen, simply click on the Remove button next to the extension name to remove the addon.

Protecting yourself from In-Browser Miners

Miners are becoming an epidemic and in-browsing mining is only going to get worse. Therefore, it is important that all users protect themselves by installing antivirus software that detects when a browser connects to known mining services such as CoinHive.

Unfortunately, new services keep popping up and it has become a game of whack-a-mole for the security industry. Therefore, your installed software may not detect the URL or scripts associated with a new in-browser miner. 

To add further protection, you can use an adblocker, which will block in-browser mining scripts. For those looking for a more granular approach, you can use the CoinBlockerLists site to download lists of IP addresses and domains affiliated with in-browser mining.

Last, but not least, you should never install a Firefox addon directly from a site. Instead check to see if it has been added to Mozilla Add-on Repository. Any addons lists on Mozilla's site will have been evaluated for malicious behavior and been signed by a digital certificate.

 

Updated 1/31/18 11:26AM EST: Included information to not download addons directly from a unknown site.

Related Articles:

In-Browser Cryptojacking Is Getting Harder to Detect

Firefox Working on Protection Against In-Browser Cryptojacking Scripts

Cryptojacking Script Makes It on the MSN Portal

Cryptojacking Script Found in Live Help Widget, Impacts Around 1,500 Sites

Using the Chrome Task Manager to Find In-Browser Miners