blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Form analysis
3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
   Solutions
 * BY COMPANY SIZE
 * Small Business
    1-99 Employees 
 * Mid-size Businesses
    100-999 Employees
 * Large Enterprise
    1000+ Empoyees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare

   Products
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESSES
 * For Teams
 * ENTERPRISE-CLASS PROTECTION, DETECTION, AND REMEDIATION
 * Endpoint Protection
 * Endpoint Detection & Response
 * Incident Response
 * Remediation for CrowdStrike®
 * ADVANCED SERVER PROTECTION
 * Endpoint Protection for Servers
 * Endpoint Detection & Response for Servers
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES PLATFORM
 * Nebula

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our team is ready to help. Call us now
    * +1-800-520-2796

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE TRIAL
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Save 25% today on your first year of EP or EDR - See offer

Cybercrime | Malware


PERSISTENT DRIVE-BY CRYPTOMINING COMING TO A BROWSER NEAR YOU

Posted: November 29, 2017 by Jérôme Segura
Last updated: November 28, 2017

If you think closing your browser window to leave a site that runs a cryptominer
will stop the mining process, think again. Persistent drive-by cryptomining has
arrived.

Since our last blog on drive-by cryptomining, we are witnessing more and more
cases of abuse involving the infamous Coinhive service that allows websites to
use their visitors to mine the Monero cryptocurrency. Servers continue to get
hacked with mining code, and plugins get hijacked and affect hundreds or even
thousands of sites at once.

One of the major drawbacks of web-based cryptomining we mentioned in our paper
was its ephemeral nature compared to persistent malware that can run a miner for
as long as the computer remains infected. Indeed, when users close their
browser, the cryptomining activity will also stop, thereby cutting out the
perpetrators’ profit.

However, we have come across a technique that allows dubious website owners or
attackers that have compromised sites to keep mining for Monero even after the
browser window is closed. Our tests were conducted using the latest version of
the Google Chrome browser. Results may vary with other browsers. What we
observed was the following:

 * A user visits a website, which silently loads cryptomining code.
 * CPU activity rises but is not maxed out.
 * The user leaves the site and closes the Chrome window.
 * CPU activity remains higher than normal as cryptomining continues.



The trick is that although the visible browser windows are closed, there is a
hidden one that remains opened. This is due to a pop-under which is sized to fit
right under the taskbar and hides behind the clock. The hidden window’s
coordinates will vary based on each user’s screen resolution, but follow this
rule:

 * Horizontal position = ( current screen x resolution ) – 100
 * Vertical position = ( current screen y resolution ) – 40

If your Windows theme allows for taskbar transparency, you can catch a glimpse
of the rogue window. Otherwise, to expose it you can simply resize the taskbar
and it will magically pop it back up:




A LOOK UNDER THE HOOD

This particular event was caught on an adult site that was already using
aggressive advertising tricks. Looking at the network traffic, we can see where
the rogue browser window came from and what it loaded.



The pop-under window (elthamely[.]com) is launched by the Ad Maven ad network
(see previous post about bypassing adblockers), which in turn loads resources
from Amazon (cloudfront[.]net). This is not the first cryptominer being hosted
on AWS, but this one does things a little bit differently by retrieving a
payload from yet another domain (hatevery.info).

We notice some functions that come straight from the Coinhive documentation,
such as .hasWASMSupport(), which checks whether the browser supports
WebAssembly, a newer format that allows users to take full advantage of the
hardware’s capability directly from the browser. If it doesn’t, it would revert
to the slower JavaScript version (asm.js).



The WebAssembly module (.wasm) is downloaded from hatevery[.]info and contains
references to cryptonight, the API used to mine Monero. As mentioned above, the
mining is being throttled to have a moderate impact on users’ machines so that
it stays under the radar.


MITIGATION

This type of pop-under is designed to bypass adblockers and is a lot harder to
identify because of how cleverly it hides itself. Closing the browser using the
“X” is no longer sufficient. The more technical users will want to run Task
Manager to ensure there is no remnant running browser processes and terminate
them. Alternatively, the taskbar will still show the browser’s icon with slight
highlighting, indicating that it is still running.






MORE ABUSE ON THE HORIZON

Nearly two months since Coinhive’s inception, browser-based cryptomining remains
highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a
bad practice, and any tricks like the one detailed in this blog are only going
to erode any confidence some might have had in mining as an ad replacement.
History shows us that trying to get rid of ads failed before, but only time will
tell if this will be any different.

Unscrupulous website owners and miscreants alike will no doubt continue to seek
ways to deliver drive-by mining, and users will try to fight back by downloading
more adblockers, extensions, and other tools to protect themselves. If
malvertising wasn’t bad enough as is, now it has a new weapon that works on all
platforms and browsers.


INDICATORS OF COMPROMISE

145.239.64.86,yourporn[.]sexy,Adult site
54.239.168.149,elthamely[.]com,Ad Maven popunder
52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
54.209.216.237,hatevery[.]info,Cryptomining site

Cryptonight WebAssembly module:

fd472bd04c01a13bf402775441b0224edef4c062031e292adf41e5a5897a24bc


RELATED

The state of malicious cryptominingFebruary 26, 2018In "Cybercrime"

A look into the global drive-by cryptocurrency mining phenomenonNovember 7,
2017In "Cybercrime"

How to protect your computer from malicious cryptominingFebruary 27, 2018In
"101"

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

Cybercrime


CRYPTOJACKING IN THE POST-COINHIVE ERA

May 2, 2019 - Cryptojacking captured everyone's attention in 2017 and 2018. With
Coinhive no longer in business, has this threat been completely snuffed out?

CONTINUE READING1 Comment

Exploits | Threat analysis


FAKE BROWSER UPDATE SEEKS TO COMPROMISE MORE MIKROTIK ROUTERS

October 12, 2018 - Threat actors are social engineering users with a fake update
that, once installed, will scan the Internet in an attempt to exploit vulnerable
MikroTik routers.

CONTINUE READING1 Comment

Cryptomining | Threat analysis


OBFUSCATED COINHIVE SHORTLINK REVEALS LARGER MINING OPERATION

July 3, 2018 - A web miner injected into compromised sites is just the tip of
the iceberg for an infrastructure hosting malicious Windows and Linux coin
miners.

CONTINUE READING0 Comments

Cryptomining | Threat analysis


MALICIOUS CRYPTOMINING AND THE BLACKLIST CONUNDRUM

March 26, 2018 - When threat actors take to free and disposable cloud services,
the battle against malicious cryptomining becomes a lot more difficult.

CONTINUE READING2 Comments

Cybercrime | Malware


THE STATE OF MALICIOUS CRYPTOMINING

February 26, 2018 - From malware coin miners to drive-by mining, we review the
state of malicious cryptomining in the past few months by looking at the most
notable incidents and our own telemetry stats.

CONTINUE READING0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Jérôme Segura
Director of Threat Intelligence

A special interest for web threats.


Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2021 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.