WebAssembly has become a crucial part of the modern web, offering a faster
alternative to JavaScript in browsers. While boosting rich applications in
browser, this technology is also very efficient to develop cryptojacking
malware. This has triggered the development of several methods to detect
cryptojacking malware. However, these defenses have not considered the
possibility of attackers using evasion techniques. This paper explores how
automatic binary diversification can support the evasion of WebAssembly
cryptojacking detectors. We experiment with a dataset of 33 WebAssembly
cryptojacking binaries and evaluate our evasion technique against two malware
detectors: VirusTotal, a general-purpose detector, and MINOS, a
WebAssembly-specific detector. Our results demonstrate that our technique can
automatically generate variants of WebAssembly cryptojacking that evade the
detectors in 90% of cases for VirusTotal and 100% for MINOS. Our results
emphasize the importance of meta-antiviruses and diverse detection techniques,
and provide new insights into which WebAssembly code transformations are best
suited for malware evasion. We also show that the variants introduce limited
performance overhead, making binary diversification an effective technique for
evasion