blog.malwarebytes.com
Open in
urlscan Pro
130.211.198.3
Public Scan
Submitted URL: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you///
Effective URL: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/
Submission: On December 09 via api from US — Scanned from DE
Effective URL: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/
Submission: On December 09 via api from US — Scanned from DE
Form analysis
3 forms found in the DOM<form><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>
GET
<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
</button>
</div>
</form>
//www.malwarebytes.com/newsletter/
<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>
Text Content
Who doesn't like cookies? We use cookies to help us enhance your online experience. If that sounds good, click “Accept All Cookies” or review our Privacy and Cookie Policy. Close Accept All Cookies * Your Privacy * Strictly Necessary Cookies * Performance Cookies * Functional Cookies * Targeting Cookies * More Information Privacy Preference Center Active Always Active Save Settings Allow All The official Malwarebytes logo The official Malwarebytes logo in a blue font B We research. You level up. Personal Personal * Security & Antivirus * Malwarebytes for Windows * Malwarebytes for Mac * Malwarebytes for Chromebook * Malwarebytes Browser Guard * Overview * Security & Antivirus for Mobile * Malwarebytes for Android * Malwarebytes for iOS * Online Privacy * Malwarebytes Privacy VPN * Get Started * Explore all Personal Products * Explore Pricing * FREE TRIAL OF MALWAREBYTES PREMIUM Protect your devices, your data, and your privacy—at home or on the go. Get free trial Business Business Solutions * BY COMPANY SIZE * Small Business 1-99 Employees * Mid-size Businesses 100-999 Employees * Large Enterprise 1000+ Empoyees * BY INDUSTRY * Education * Finance * Healthcare Products * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESSES * For Teams * ENTERPRISE-CLASS PROTECTION, DETECTION, AND REMEDIATION * Endpoint Protection * Endpoint Detection & Response * Incident Response * Remediation for CrowdStrike® * ADVANCED SERVER PROTECTION * Endpoint Protection for Servers * Endpoint Detection & Response for Servers * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES PLATFORM * Nebula * Get Started * * Find the right solution for your business * See business pricing -------------------------------------------------------------------------------- * Don't know where to start? * Help me choose a product -------------------------------------------------------------------------------- * See what Malwarebytes can do for you * Get a free trial -------------------------------------------------------------------------------- * Our team is ready to help. Call us now * +1-800-520-2796 Pricing Partners Partners * Explore Partnerships * Partner Solutions * Resellers * Managed Service Providers * Computer Repair * Technology Partners * Partner Success Story * Marek Drummond Managing Director at Optimus Systems "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected." * See full story Resources Resources * Learn About Cybersecurity * Antivirus * Malware * Ransomware * See all * Malwarebytes Labs * Explore * Business Resources * Reviews * Analyst Reports * Case Studies * See all * Press & News * Learn more * Events * Featured Event: RSA 2021 * See Event Support Support * Technical Support * Support * Premium Services * Forums * Vulnerability Disclosure * Training for Personal Products * Training for Business Products * Featured Content * Activate Malwarebytes Privacy on Windows device. * See Content FREE TRIAL CONTACT US COMPANY Company * About Malwarebytes * Careers * News & Press SIGN IN Sign In * My Account * Cloud Console * Partner Portal SUBSCRIBE Save 25% today on your first year of EP or EDR - See offer Cybercrime | Malware PERSISTENT DRIVE-BY CRYPTOMINING COMING TO A BROWSER NEAR YOU Posted: November 29, 2017 by Jérôme Segura Last updated: November 28, 2017 If you think closing your browser window to leave a site that runs a cryptominer will stop the mining process, think again. Persistent drive-by cryptomining has arrived. Since our last blog on drive-by cryptomining, we are witnessing more and more cases of abuse involving the infamous Coinhive service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once. One of the major drawbacks of web-based cryptomining we mentioned in our paper was its ephemeral nature compared to persistent malware that can run a miner for as long as the computer remains infected. Indeed, when users close their browser, the cryptomining activity will also stop, thereby cutting out the perpetrators’ profit. However, we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following: * A user visits a website, which silently loads cryptomining code. * CPU activity rises but is not maxed out. * The user leaves the site and closes the Chrome window. * CPU activity remains higher than normal as cryptomining continues. The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule: * Horizontal position = ( current screen x resolution ) – 100 * Vertical position = ( current screen y resolution ) – 40 If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up: A LOOK UNDER THE HOOD This particular event was caught on an adult site that was already using aggressive advertising tricks. Looking at the network traffic, we can see where the rogue browser window came from and what it loaded. The pop-under window (elthamely[.]com) is launched by the Ad Maven ad network (see previous post about bypassing adblockers), which in turn loads resources from Amazon (cloudfront[.]net). This is not the first cryptominer being hosted on AWS, but this one does things a little bit differently by retrieving a payload from yet another domain (hatevery.info). We notice some functions that come straight from the Coinhive documentation, such as .hasWASMSupport(), which checks whether the browser supports WebAssembly, a newer format that allows users to take full advantage of the hardware’s capability directly from the browser. If it doesn’t, it would revert to the slower JavaScript version (asm.js). The WebAssembly module (.wasm) is downloaded from hatevery[.]info and contains references to cryptonight, the API used to mine Monero. As mentioned above, the mining is being throttled to have a moderate impact on users’ machines so that it stays under the radar. MITIGATION This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running. MORE ABUSE ON THE HORIZON Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different. Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers. INDICATORS OF COMPROMISE 145.239.64.86,yourporn[.]sexy,Adult site 54.239.168.149,elthamely[.]com,Ad Maven popunder 52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad 54.209.216.237,hatevery[.]info,Cryptomining site Cryptonight WebAssembly module: fd472bd04c01a13bf402775441b0224edef4c062031e292adf41e5a5897a24bc RELATED The state of malicious cryptominingFebruary 26, 2018In "Cybercrime" A look into the global drive-by cryptocurrency mining phenomenonNovember 7, 2017In "Cybercrime" How to protect your computer from malicious cryptominingFebruary 27, 2018In "101" SHARE THIS ARTICLE -------------------------------------------------------------------------------- COMMENTS -------------------------------------------------------------------------------- RELATED ARTICLES Cybercrime CRYPTOJACKING IN THE POST-COINHIVE ERA May 2, 2019 - Cryptojacking captured everyone's attention in 2017 and 2018. With Coinhive no longer in business, has this threat been completely snuffed out? CONTINUE READING1 Comment Exploits | Threat analysis FAKE BROWSER UPDATE SEEKS TO COMPROMISE MORE MIKROTIK ROUTERS October 12, 2018 - Threat actors are social engineering users with a fake update that, once installed, will scan the Internet in an attempt to exploit vulnerable MikroTik routers. CONTINUE READING1 Comment Cryptomining | Threat analysis OBFUSCATED COINHIVE SHORTLINK REVEALS LARGER MINING OPERATION July 3, 2018 - A web miner injected into compromised sites is just the tip of the iceberg for an infrastructure hosting malicious Windows and Linux coin miners. CONTINUE READING0 Comments Cryptomining | Threat analysis MALICIOUS CRYPTOMINING AND THE BLACKLIST CONUNDRUM March 26, 2018 - When threat actors take to free and disposable cloud services, the battle against malicious cryptomining becomes a lot more difficult. CONTINUE READING2 Comments Cybercrime | Malware THE STATE OF MALICIOUS CRYPTOMINING February 26, 2018 - From malware coin miners to drive-by mining, we review the state of malicious cryptomining in the past few months by looking at the most notable incidents and our own telemetry stats. CONTINUE READING0 Comments -------------------------------------------------------------------------------- ABOUT THE AUTHOR Jérôme Segura Director of Threat Intelligence A special interest for web threats. Contributors Threat Center Podcast Glossary Scams Write for Labs CYBERSECURITY INFO YOU CAN'T DO WITHOUT Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats. Imagine a world without malware. We do. FOR PERSONAL FOR BUSINESS COMPANY ABOUT US CAREERS NEWS AND PRESS MY ACCOUNT SIGN IN CONTACT US GET SUPPORT CONTACT SALES 3979 Freedom Circle, 12th Floor Santa Clara, CA 95054 One Albert Quay, 2nd Floor Cork T12 X8N6 Ireland English Legal Privacy Accessibility Terms of Service © 2021 All Rights Reserved Select your language * English * Deutsch * Español * Français * Italiano * Português (Portugal) * Português (Brasil) * Nederlands * Polski * Pусский * 日本語 * Svenska Cybersecurity basics Your intro to everything relating to cyberthreats, and how to stop them.