Delay-CJ: a novel cryptojacking covert attack method based on delayed strategy and its detection

Cryptojacking is a type of resource embezzlement attack, wherein an attacker secretly executes the cryptocurrency mining program in the target host to gain profits. It has been common since 2017, and in fact, it once became the greatest threat to network security. To better prove the attack ability the harm caused by cryptojacking, this paper proposes a new covert browser-based mining attack model named Delay-CJ, this model was deployed in a simulation environment for evaluation. Based on the general framework of cryptojacking, Delay-CJ adds hybrid evasion detection techniques and applies the delayed execution strategy specifically for video websites in the prototype implementation. The results show that the existing detection methods used for testing may become invalid as result of this model. In view of this situation, to achieve a more general and robust detection scheme, we built a cryptojacking detection system named CJDetector, which is based on cryptojacking process features. Specifically, it identifies malicious mining by monitoring CPU usage and analyzing the function call information. This system not only effectively detects the attack in our example but also has universal applicability. The recognition accuracy of CJDetector reaches 99.33%. Finally, we tested the web pages in Alexa 50K websites to investigate cryptojacking activity in the real network. We found that although cryptojacking is indeed on the decline, it remains a part of network security threats that cannot be ignored.