Drive-by cryptomining also known as cryptojacking has turned into one of the major threats to online users. Researchers are coming across more and more cases of abuse involving Coinhive.
The Coinhive mining within a browser explained
The software is easily integrated thanks to its API integration, and is overall simplistic. However, the failure to apply an opt-in process to provide user consent makes it somehow dubious. The result is that the software has been abused to an unbelievable extent, and the trend continues as we speak. We recently wrote about the alarming trend of the increasing number of websites using Coinhive’s script to mine for Monero. Basically, researchers reached the conclusion that 1 in 1,000 websites is running Coinhive.
New technique allows malicious actors to continue mining even after a browser is closed
This trend is now going even more problematic as researchers stumbled upon a technique that enables malicious users to keep mining for Monero even after the browser window is closed. The research carried out by Jerome Segura was focused on the Chrome browser but other browsers may be affected as well, with different outcomes for each browser.
What happens after a user visits a website, which is silently loading the mining code is that the CPU activity is increasing but it is not maxing out. After the user leaves the particular site via closing the Chrome window, his machine’s CPU activity remains higher than usual. This is a sign that the cryptomining process is not resumed with the closing of the browser. How is this even possible?
Researchers noticed this activity on an adult website known to deploy aggressive advertising techniques. While analyzing the network traffic the rogue browser window was noticed, as well as where it came from and what it loaded.
- The pop-under has been identified – elthamely[.]com – and was detected to launch from the Ad Maven network.
Shortly said, Ad-maven(.)com is the site of a platform for performance marketing. Ad Maven is considered adware in terms of producing a multitude of adverts redirecting the user to various dubious sites. The network also gains money from those services and the internet traffic that its ads generate.
Even though the visible browser windows are closed, a hidden session remains opened, making the drive-by cryptomining persistent. This is possible thanks to a pop-under made to fit under the taskbar, right behind the clock.
What happens after elthamely[.]com pop-under is loaded from the Ad Maven network? Resources from Amazon cloudfront[.]net are loaded, and a payload is taken from another doman – hatevery(.)info.
How to stop this new type of drive-by cryptomining a.k.a. cryptojacking
Considering the type of pop-under deployed by malicious actors to bypass adblockers and hide its activity from users, simply closing the browser won’t do. Affected users should run Task Manager to make sure that there are no leftover processes. If such are found, they should be eliminated immediately.
In conclusion, drive-by cryptomining will surely continue to evolve and become more dangerous to users. Malicious actors will continue to search for means to distribute drive-by mining. As a result, malvertising is becoming even more threatening with this new technique that puts all platforms and browsers at risk.
Considering the current threat landscape, it is strongly recommended that all security measures are into consideration, including the use of an anti-malware program that actively protects the system from all kinds of exploits.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter