Drive-by cryptomining also known as cryptojacking has turned into one of the major threats to online users. Researchers are coming across more and more cases of abuse involving Coinhive.
The Coinhive mining within a browser explained
What is Coinhive? Coinhive was created in September this year. Simply explained, the software allows Monero mining directly within a browser. As explained by the developers of the software, Coinhive offers a JavaScript miner for the Monero Blockchain that can embed in a website. Users of the website run the miner directly in their browser and mine XMR for the website owner in turn for an ad-free experience, in-game currency or whatever incentives you can come up with.
The software is easily integrated thanks to its API integration, and is overall simplistic. However, the failure to apply an opt-in process to provide user consent makes it somehow dubious. The result is that the software has been abused to an unbelievable extent, and the trend continues as we speak. We recently wrote about the alarming trend of the increasing number of websites using Coinhive’s script to mine for Monero. Basically, researchers reached the conclusion that 1 in 1,000 websites is running Coinhive.
New technique allows malicious actors to continue mining even after a browser is closed
This trend is now going even more problematic as researchers stumbled upon a technique that enables malicious users to keep mining for Monero even after the browser window is closed. The research carried out by Jerome Segura was focused on the Chrome browser but other browsers may be affected as well, with different outcomes for each browser.
What happens after a user visits a website, which is silently loading the mining code is that the CPU activity is increasing but it is not maxing out. After the user leaves the particular site via closing the Chrome window, his machine’s CPU activity remains higher than usual. This is a sign that the cryptomining process is not resumed with the closing of the browser. How is this even possible?
Researchers noticed this activity on an adult website known to deploy aggressive advertising techniques. While analyzing the network traffic the rogue browser window was noticed, as well as where it came from and what it loaded.
- The pop-under has been identified – elthamely[.]com – and was detected to launch from the Ad Maven network.
Shortly said, Ad-maven(.)com is the site of a platform for performance marketing. Ad Maven is considered adware in terms of producing a multitude of adverts redirecting the user to various dubious sites. The network also gains money from those services and the internet traffic that its ads generate.
Even though the visible browser windows are closed, a hidden session remains opened, making the drive-by cryptomining persistent. This is possible thanks to a pop-under made to fit under the taskbar, right behind the clock.
What happens after elthamely[.]com pop-under is loaded from the Ad Maven network? Resources from Amazon cloudfront[.]net are loaded, and a payload is taken from another doman – hatevery(.)info.
Researchers also noticed functions from the Coinhive documentation designed to check whether a browser supports WebAssembly, a low-level bytecode format for in-browser client-side scripting, which evolved from JavaScript. The feature allows the user to fully use the hardware’s capacity directly from the browser. If the browser doesn’t support WebAssembly, it would return to the slower JavaScript version.
How to stop this new type of drive-by cryptomining a.k.a. cryptojacking
Considering the type of pop-under deployed by malicious actors to bypass adblockers and hide its activity from users, simply closing the browser won’t do. Affected users should run Task Manager to make sure that there are no leftover processes. If such are found, they should be eliminated immediately.
In conclusion, drive-by cryptomining will surely continue to evolve and become more dangerous to users. Malicious actors will continue to search for means to distribute drive-by mining. As a result, malvertising is becoming even more threatening with this new technique that puts all platforms and browsers at risk.
Considering the current threat landscape, it is strongly recommended that all security measures are into consideration, including the use of an anti-malware program that actively protects the system from all kinds of exploits.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: